Marriott Hotels and Resorts has been hit with a huge class-action lawsuit over the data breach which saw 500 million customers affected, and that’s just the start. Under GDPR, the hospitality giant could face the world’s first significant fine under the new data protection act.

Despite Marriott being headquartered in the US, the breach falls under European wide GDPR rules, meaning the group now faces financial penalties of up to 4% of its annual global revenue. And in 2017 Marriott generated approximately 22.9 Billion US dollars in revenue last year. The news doesn’t get any better over in the US for Marriott, in the wake of the breach lawyers filed a class-action against them, seeking $12.5 billion in damages.

The company said it became aware of a security breach in early September, but further investigation revealed unauthorised access to the guest reservation database dating back to 2014. The breach exposed the personal information of approximately 500 million guests, and security experts have been speculating about how hackers were able to access the system. It is believed that the security systems in place were simply not sufficient enough to protect all of the sensitive data it held. To make matters worse, it has been revealed that although the data was encrypted, the hackers potentially stole the encryption key to read it.

Marriott said the extent of the compromised data varies by guest, but it includes names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, arrival and departure dates and times and credit card numbers and expiration dates. If it is discovered that hackers have gained access to the encryption keys for the credit card information the system held, it could mean that millions of customers are at financial risk. Arne Sorenson, the president and chief executive of Marriott International, said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

The data breach is likely to attract the attention of European regulators, both for the scale of the problem, and the delay in reporting it to the public. The general data protection regulation (GDPR) allows for fines for data breaches of up to 4% of annual turnover and in Marriott’s case, that would mean a maximum fine of £117m.

What is a data Breach?

A data breach occurs when sensitive and confidential information is accessed by a third party who is not authorised to do so. This data can include things such as passwords, credit card numbers, health records or addresses. The most common ways hackers gain access to a system, is by guessing a password or by installing malware. Data breaches can range in size, from a single individual accessing a file, to millions of company records being stolen. How someone is affected by a data breach depends on the information that is accessed and released. The best way to protect your data is to change your password regularly and not store sensitive information on your computer.

Marriott has taken the following steps to help guests:

Dedicated call centre: Marriott has established a dedicated call centre to answer questions you may have about this incident. The call centre will be open 7 days a week and is available in multiple languages.

Email notification: Marriott began sending emails on a rolling basis on November 30, 2018 to affected guests whose email addresses are in the database.

Free WebWatcher enrolment: Marriott is providing guests the opportunity to enrol in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumers personal information is found. Check with Marriott online to see if you are eligible to sign up for this service.