It’s December!!! A time we all love because it marks the beginning of the end of yet another exciting and busy year… Okay, more accurately because it marks the official start of the festive season with office Christmas parties, Secret Santa and hopefully, some time away to recharge the batteries. Unfortunately, for those who are going away and have booked to stay at a Marriott hotel, you may have become the latest victim in yet another data breach.
This past Friday it was disclosed that the personal information of more than 500 million people was taken after hackers gained access to the Marriott’s Starwood reservation data base. For those who are unaware, Starwood is a series of hotels that Marriott bought in 2016. Unfortunately for Marriott, the breach was detected on September 8th, 2018 but the hackers had gained access to the reservation data base from as early as 2014, prior to their purchase of Starwood. This means the hackers had unfettered access for more than 4 years to that information. The information taken included names, phone numbers, arrival/departure information, email addresses, passport numbers, date of birth, credit card numbers and card expiration dates. When commenting on the incident, CEO, Arne Sorenson explained “we fell short of what our guests deserve and what we expect of ourselves”. Marriott’s shares plummeted 6% upon the news but is there worse to come?
It is believed the breach included EU citizen data, thus brings into question GDPR. The breach is thought to be the second largest corporate data breach in history, behind Yahoo’s 3 billion accounts breach in 2017. Marriott have released a statement that it is in the process of notifying all those affected by sending out rolling emails since Friday (over 2 months after being aware of the breach – a violation of GDPR which requires notification of all EU citizen’s within 72 hours). If Marriott is found to have failed their customers then there may be the possibility of the first ever maximum fine under GDPR, based on the size and scale of the breach. This would be sure to have further antagonistic effects on its share price. However, there may be an argument that the breach initially occurred prior to the enactment of GDPR on May 25th, 2018 thus GDPR may not apply (I would not hold my breath on this). Nevertheless, it will take regulators many months to complete an investigation and determine the necessary penalties for a breach of this magnitude. Among the investigating regulators is the UK’s Information Commissioner’s Office (ICO) who have released a statement announcing it is making enquiries into the breach after it received a data breach report from Marriott.
GDPR and share price aside, Marriott could still suffer further punishment in the form of class action law suits, with several already filed against Marriott. However, the highest so far was filed by a Portland businessman and a Salem attorney who are seeking $25 per customer or a cold $12.5 billion (this gives new meaning to a cold Christmas). Another was filed by law firm Murphy, Falcon & Murphy based out of Baltimore. The lawsuit alleges that Marriott failed to ensure the integrity of its servers and to properly safeguard highly sensitive and confidential customer information, adding Marriot did not take appropriate measures to protect and secure such sensitive information. Now, doesn’t all this have a bit of an Equifax feeling?
No wonder! Hassan Murphy, managing Partner of Murphy, Falcon, Murphy, is a member of the Plaintiffs’ Steering Committee in the case of Equifax, which is responsible for prosecuting the nationwide consumer data breach litigation against Equifax. It will be interesting to see how both the Equifax and Marriott cases progress. One thing is for certain, customers will no longer be idle when firm’s loss their data and their trust. What are you doing to secure your client’s trust?
Exate Technology – Protect the data, avoid a cold Christmas.