[BreachExchange] Marriott may face GDPR fine of more than £17m

[Destry Winant]

http://www.travelweekly.co.uk/articles/318325/marriott-may-face-gdpr-fine-of-more-than-17m

Marriott International could face a multimillion-pound fine in Europe,
following news that the data of approximately 500 million guests had
been compromised, writes Katherine Price.

It is also understood that two American law firms have filed a class
action lawsuit against the US-based hotel chain.

Meanwhile, US senator Charles Schumer has called on the hotel group to
reimburse those affected to allow them to purchase new passports.

Although Marriott is based in the US, some guests were citizens of the
European Union, so the breach falls under European Union General Data
Protection Regulation (GDPR).

It is estimated that it could face a fine of up to €20 million (£17.8
million) or 4% of its annual turnover. Marriott’s turnover in 2017 was
$22.9 billion (£20.4 billion).

On September 8, Marriott was alerted to an attempt to access the
Starwood guest reservation database and discovered there has been
unauthorised access to the database since 2014. Marriott acquired
Starwood in 2016.

For approximately 327 million guests, the information included some
combination of name, address, phone number, email address, passport
number, Starwood Preferred Guest account information, date of birth,
gender, arrival and departure information, reservation date, and
communication preferences.

Brian Craig, legal director at UK law firm TLT, said: “The
implications of a data breach of this scale can be significant for a
business – not just from a regulatory enforcement point of view,
meaning investigation and possibly a significant fine, but also from a
litigation point of view, after [supermarket] Morrisons was held to be
vicariously liable for a data breach by a disgruntled employee
affecting thousands of employees in a class action earlier this year.”