Highly sensitive personal documents and payment information have been laid bare in a giant data breach of international hotel chain Marriott, with the company potentially staring down a $200 million fine for the incident.
The hotel chain announced over the weekend it had been subject to a cyber attack of its Starwood guest reservation database in 2014, but only found out about the breach in November, almost four years later.
Starwood is a subsidiary of the Marriott International Group, and the holding company of other big-name hotel brands such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, and Four Points.
In total, the information of over 500 million users was accessed in the breach. For about 327 million of those guests, the information revealed included personal information, passport numbers, arrival and departure information, and reservation dates.
Get daily business news.
The latest stories, funding information, and expert advice. Free to sign up.
However, a number of the guests also had their credit card details accessed in the hack, and although those details were encrypted, the company has “not been able to rule out the possibility” that the encryption keys needed to decrypt those numbers were not also taken.
“We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” Arne Sorenson, Marriott’s president and chief executive officer said in a statement.
“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.”
Much like Australia’s mandatory data breach reporting, the EU has legislation requiring companies to reveal significant data breaches known as the General Data Protection Regulation (GDPR). Under the law, companies are required to notify authorities of data breaches within 72 hours of becoming aware of them.
Under the legislation, companies who suffer significant data breaches can also be slapped with significant penalties. The Guardian reports Marriott could be facing fines in excess of £117 million ($202 million) or 4% of its annual turnover.
Marriott share prices are down 5% since the announcement.