Marriott is the largest hotel chain in the world by the number of available rooms. It has 30 brands with 8,000 properties containing 1,423,044 rooms in 131 countries and territories. It is a massive company in the hospitality space. But as the companies grow mammoth it becomes difficult to manage their IT systems. The company faced a massive security breach in the year 2018, which compromised the data of more than 327 million customers.
What data was leaked?
It is interesting to note that Mariott owns Starwood since its purchase in 2016. The Mariott’s Databases were accessed from the Starwood network. Additionally, the person having unauthorized access removed the information from the system for approximately 327 million of these guests, the information includes
- some combination of name,
- mailing address,
- phone number,
- email address,
- passport number,
- Starwood Preferred Guest (“SPG”) account information,
- date of birth,
- gender,
- arrival & departure information,
- reservation date,
- and also the communication preferences.
Moreover, all the above information is sensitive personal information under privacy law.
How did Marriott got Fined?
The Information Commissioner Officer has banged on with a fine on the big hotel Marriott International comprising of $18.4 M GDPR fine because they were unsuccessful in safeguarding a million guests’ personal details. In 2014, Starwood was initially penalized with $99 M which was then acquired by Marriott. In 2018, Mariott was the second company after British Airways to face the heat of the regulators.
This fine saw that the cybercriminals have an access to roughly 339 Million guest records that also comprise 7 Million records of the people in the U.K. Through an unknown source, the attack developed. Marriott International acquired the Starwood Hotels Group.
The personal data admittance in the breach incorporates the guest names, e-mail addresses, phone numbers, the unencrypted passport number, and arrival/departure information. It also includes guest VIP status as well as the membership number.
At the time of investigation, ICO claimed that Marriott International was futile to set about to carry out sufficient due diligence after the acquisition and also implemented appropriate security measures. It was basically a cyber-attack.
What is Information Commissioner Officer?
The Information Commissioner Officer is the non-departmental public body that reports directly to the Parliament of the United Kingdom. It is an independent regulatory office that deals with the Data Protection Law and General Data Protection Rules. The Commissioner’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Details of Cyber Attack on Marriott Case
Recently, in the year 2014, an unknown fraudster and attacker initiated a code and developed a web shell in the Starwood system. Later Starwood was acquired by Marriott International that provided the access to Marriott’s database remotely.
This access overburdened to install of the malware. It enabled the fraudster and attacker to remotely access the system as a secured user. Therefore the attacker would have unrestricted access provided to the relevant device.
The attacker installed further tools to collect the login credentials and additional information.
Impact of Failure
Privacy data of many customers was available to the hackers. Most of the customers raised complaints against Marriott. Some customers reached out to the hotel through the helpline number. But there was no response from anyone. The others left were trying to protect their personal data.
When the business fails to comply with the customer’s data, fraud targeting innocent customers in impersonation and phishing-like attacks increases. Mariott Data leak significantly impacted the European citizens.
The Aftermath
After facing the mammoth penalties in the year 2018, Mariott faced another data breach in the year 2020. In this attack, a network of an unspecified hotel chain was hacked, and hackers obtained the login credentials of two Marriott employees. These credentials were used in compromising the details of Marriott Customers.