In 2014, hackers exploited the reservation system of Starwood Hotels and Resorts, which was acquired by Marriott in 2016. The breach exposed user data that not only included names, phone numbers, email addresses, passport numbers, and dates of birth, but even access to some encrypted credit card data.
As a result of this breach, Marriott may be one of the first organizations to feel the full force of the EU’s General Data Protection Regulation penalties. Implications of GDPR can lead to new unprecedented levels of financial penalties and liability for Marriott executives. Marriott acquired Starwood back in 2016, but did not find out about the 2014 breach until several months following the 2016 merger. Companies are required by GDPR to alert government authorities within 72 hours of a known breach. Given that Marriott did not disclose this breach until last week, Marriott could face fines of up to 4 percent of their global revenue. Given the shift of Starwood ownership, the investigation into the violation will take time, and may not be finalized until later in 2019.
Separately, the first of what is expected to be many class-action lawsuits against Marriott have already been filed on behalf of customers affected by the breach. On top of that, Marriott’s security is also facing probes from the New York Attorney General’s office.