The Marriott Hotel chain data breach is one of our most covered Cybersecurity stories about Beijing denying the accusation from western powers that it was behind the data breach. We revisit this story, with Turkey imposing a hefty fine against the Marriott Hotel International firm to the tune of 1.5 million Turkish Lira (US$267,352). The penalty imposed is not yet defined as the final verdict, as the hotel management itself is unable to provide the exact number of affected victims for the breach, due to the system having multiple entries per customer.
The data lost covered in the incident is estimated to reach 500 million+ customers of the hotel chain who at least checked-in once from 2014 to 2018. The information leaked in the breach included their real life name, passport data, birth date, email and credit card information stored in Marriott’s database. It was one of the largest data breaches in world history, which even made U.S. Secretary of State Mike Pompeo to accuse China for being behind the Marriott Hotel cyber attack as part of its state-sponsored espionage campaign.
The Turkish KVKK (Personal Data Protection Board) enforces Turkey’s Personal Data Protection Act confirmed that around 1.24 million of Marriott’s customers are Turkish. Hence, the country has jurisdiction regarding prosecution of Marriott hotel chains operating within Turkey. The U.S.Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations received a formal testimony from the Marriott Hotel Chain’s CEO and President Arne Sorenson.
The leadership team of Marriott Hotel International is taking the issue very seriously, and they are admitting full legal responsibility towards negligence with regards to the system they use for storing customer information. “As a company that prides itself on taking care of people, we recognize the gravity of this criminal attack on the Starwood Guest Reservation Database and our responsibility for protecting our guests’ data. To our guests, including our employees who have stayed at Starwood hotels, I sincerely apologize. We are working hard every day to rebuild your confidence,” explained Sorenson.
Sorenson admitted that the primary goal of the company is to recover its brand and reputation. They have established a dedicated call center where their customers can call to ask for assistance, with regards to information privacy issues caused by the breach. The CEO has not confirmed if the Call Center is also available for Turkey’s residents or if it is just exclusive for Canadian and U.S. residents. But he likewise confirmed that more than 53,000 calls was handled by the call center since its operation till February 28, 2019, the last operation of the call center they hired.
“While our forensic work was ongoing, Marriott worked to create guest communication documents and coordinate with external vendors to build the logistical infrastructure required to facilitate guest notifications. We wanted to be transparent with our guests and also to be ready on day one to handle inquiries from guests across the world,” added Sorenson.