The company was alerted by an internal security tool. It was proved the attackers had unauthorized access since 2014. The guest reservation database of its Starwood division had been compromised by an unauthorised party. Starwood’s hotel brands, which was bought by Marriott International include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network. Regarding the data breach, it was revealed that for about 327 million guests the information exposed included “some combination” of name, address, phone number and e-mail address and also gender, date of birth and passport number. Encrypted payment card information was present in some cases. The stolen database contained details of reservations made on or before 10 September 2018.
The Federal Bureau of Investigation said it was looking into the attack. Marriod offered customers in the US and some other countries a year-long subscription to a fraud-detecting service. Although the Marriott group’s headquarters are in the US, it has to comply with the EU’s GDPR rules when dealing with citizens in the EU. Some customers expressed frustration over the incident, on Twitter. A complaint filled in a Maryland federal court within hours of the disclosure accuses Marriott of negligence as well as deceptive and unfair trade practices and sought unspecified financial compensation.