Date reported: Nov. 30, 2018
Impact: Data of about 500 million customers
Security failure: Insecure cash registers
Estimated cost of Marriott data breach: £99.2 million ($123.6 million) in GDPR fines so far, but total may reach $1 billion
The Marriott breach is another data breach that began long before this year, but the U.K.’s ICO announced the proposed fine under GDPR this past July.
After acquiring its competitor Starwood in 2016, Marriott discovered Starwood’s central reservation database had been hacked. The data breach, disclosed on Nov. 30, 2018, was one of the worst in history, affecting an estimated half-billion customers who made reservations at Starwood properties starting in 2014. According to the ICO, about 30 million of those customers were in the EU.
The attackers remained in the system after Marriott acquired Starwood in 2016; the company did not discover them until September 2018. Marriott said on its website that customer payment card data was protected by encryption technology. However, the company couldn’t rule out the possibility the attackers had also stolen the encryption keys needed to decrypt the data.
For some victims, only name and contact information was compromised. For others, the attackers were able to take some combination of contact info, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that the attackers stole credit card numbers and expiration dates of more than 100 million customers. But the company is uncertain whether the attackers were able to decrypt the credit card numbers.
Security blogger Brian Krebs reported that Starwood had disclosed a breach in 2015 that “involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of its guest reservations or membership systems.”
According to the New York Times, the breach was eventually attributed to a Chinese intelligence group seeking to gather data on U.S. citizens. If true, this would be the most significant known breach of personal data conducted by a nation-state.
This year, Bloomberg Intelligence analysts Tamlin Bason and Holly Froum estimated the total costs at around $1 billion.
But the Wall Street Journal reported in August 2019 that the company had taken just a $126 million charge in connection with the data breach.
And Security Week reported that “unsurprisingly, several lawsuits have been filed against Marriott by both customers and investors in response to the breach. The company may have only paid a relatively small amount so far, but class actions resulting from cybersecurity incidents have been known to cost major firms tens of millions of dollars.”