The Starwood Hotels and Resorts data breach, in which 500 million hotel guests’ data was exposed, could lead to brand owner Marriott to the world’s first significant fine under GDPR.
Despite Marriott having its headquarters in the US, the breach falls under European-wide GDPR rules, meaning the hotel group faces financial penalties of up to 4% of its annual global revenue.
The hotel and resorts giant said in a statement, filed with US regulators on Friday, that the breach was detected on its guests database on or before 10 September, but could affect records going back to 2014.
Around 327 million records contained name, postal address, phone number, date of birth, gender, email address and passport number of guests, while an unknown number of records contained encrypted credit card data.
"Marriott reported this incident to law enforcement and continues to support their investigation," the company said in its statement to the US Securities and Exchange Commission.
The data breach has all the ingredients to trigger the first significant fine to a brand under GDPR rules, according to Forrester senior analyst Enza Iannopollo, because it is a large amount of sensitive data that covers several years.
"The effort here is not just about evaluating technical controls and establishing what didn't work for so long," Iannopollo said.
"Marriott will have to clarify also how they managed M&A due diligence, since the breach happened within Starwood systems and started before that acquisition, [and] whether they manage customers' personal data as the GDPR requires – and this question alone might determine the future of their business, considering the 4% global revenue potential fine that comes with violation of the rules."
The breach will also "certainly" trigger legal action by consumers groups, Iannopollo predicted – something that would further threaten the future stability of the business.
In the US, New York attorney general Barbara Underwood has opened an investigation into the data breach. Underwood’s communications director, Amy Spitalnick, told Bloomberg on Friday that Marriott was required to notify its office that a breach had been discovered, but had not yet done so.
Marriott said it will begin sending emails on a rolling basis to affected guests whose email addresses were in the Starwood guest reservation database.
The company added that it is also providing guests with a year’s free subscription to WebWatcher, a service that monitors websites where personal information is shared and alerts the consumer if evidence of the their personal information is found.
"We deeply regret this incident happened," Arne Sorenson, Marriott’s president and chief executive, said. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
In 2016, Marriott bought the Starwood, which includes hotel chains Sheraton, Westin, Le Méridien and W.