U.K. Seeks to Fine Marriott International Over Starwood Hack

Nuix's latest Black Report offers insights straight from the mouths of hackers and penetration testers (Image xijian / iStockPhoto)
Photo by xijian / iStockPhoto

The U.K. Information Commissioner’s Office (ICO) announced it intends to fine Marriott International over a security breach that exposed the personal information of guests in the Starwood reservations database since 2014. The intended fine amounts to just over £99.2 million (approximately $123.5 million). 

In a written statement, Marriott said that it has the right to respond before any final determination is made and a fine can be issued by the ICO, and that it will “respond and vigorously defend its position.”

“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott President and CEO Arne Sorenson. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”

Free Luxury Travel Newsletter

Like this story? Subscribe to The Dossier

Luxury Travel Advisor’s only newsletter, covering unique destinations and product news for affluent travelers. Delivered every Tuesday & Thursday.

Marriott also said that the Starwood guest reservation database that was attacked is no longer used for business operations. 

Marriott first announced the hack on November 30, 2018. It affected the personal information of customers, including passport and credit card numbers, in its Starwood reservations database, which it had acquired during the Starwood – Marriott merger in 2016. The database included the Starwood brands W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana) were also included. 

In its most recent update, released earlier this year, Marriott estimated that approximately 383 million guest records, at most, were involved in the incident. The actual number of guests was lower, Marriott said, because in many cases there were multiple records for the same guest. The company also said that approximately 5.25 million unencrypted passport numbers were exposed, as well as approximately 20.3 million encrypted passport numbers. 

Following the incident, Marriott established a website with information for guests who believe they may have been involved in the incident, with phone numbers to reach the company’s dedicated call center. That website is available at https://info.starwoodhotels.com/

The article originally appeared on www.travelagentcentral.com.

Related Articles

British Airways Faces $229 Million Fine Over Data Breach

Signature Hires Three for Preferred Partnership Department

When Will the Boeing 737 MAX Return - and Would You Feel Safe Boarding One?

TCS World Travel and Travcoa Merge Operations

Suggested Articles

Ensemble Travel Group president Libbie Rice served as the new ship's godmother during a ceremony in Lahnstein, Germany. See more here.

The Ritz-Carlton, St. Thomas reopens in December after a two-plus year closure and $100 million refurbishment. Here's what you can expect.

ASTA's latest efforts to fight AB 5 includes sending letters to news outlets about the importance of amending the bill to protect California small…