Breach, Content

Marriott Starwood Hotels Data Breach: Total Cost of $28 Million So Far

Marriott International has incurred $28 million in expenses to date related to last year's Starwood Hotels data breach, according to the hotel chain's earnings report for the fourth quarter of 2018. However, Marriott has received $25 million of insurance proceeds to offset these costs, resulting in $3 million in net expenses related to the data security incident.

Furthermore, Marriott in January disclosed that it exposed 5.25 million unencrypted passport records and 20.3 million encrypted passport credentials during its Starwood data breach. Marriott also said 383 million customer records may have been exposed due to the incident.

A Closer Look at the Starwood Data Breach

Marriott released details about the Starwood data breach on November 30. The hotel chain initially was alerted about an attempt to access its Starwood guest reservation database on September 8. It then investigated the incident and discovered there had been unauthorized Starwood database access dating back to 2014.

Also, Marriott identified an authorized party that had copied and encrypted sensitive company information. Marriott has since decrypted this information.

How Has Marriott Addressed the Starwood Data Breach?

Marriott has established a dedicated website and call center to help Starwood guests who may have been affected by the data breach. In addition, Marriott has notified affected Starwood guests about the incident via email and is providing guests with free access to WebWatcher, a mobile phone monitoring and tracking app.

Meanwhile, Marriott reported net income of $317 million in 4Q18, up from $114 million one year earlier. Marriott also recorded full-year 2018 net income of $1.9 billion, an increase of 23 percent year over year.

Will Marriott Receive GDPR Fines?

Marriott could face European Union (EU) General Data Protection Regulation (GDPR) penalties related to its Starwood data breach.

GDPR requires organizations to notify EU citizens about a data breach within 72 hours of first becoming aware of the incident. If EU officials discover Marriott violated this requirement or any other EU mandates, the hotel chain could face penalties as much as 4 percent of its annual global revenue.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.