Data protection authority fines Marriott hotels for data breach

data breach

Regulators in Turkey have issued Marriott International with an administrative fine of TL 1.5 million (£213,122) due to the impact of the hotel chain’s five-year-long data breach on the country’s citizens.

The data breach, which affected millions of guests globally who were listed on Marriott International’s Starwood Division database, compromised the private data of 1.2 million customer records from Turkey.

The precise number of individuals affected by the cyber incident has not yet been calculated.

An administrative fine of TL 1.5 million was imposed by Turkey’s Personal Data Protection Board (KVKK) following a review of statements submitted by Marriott on 4th December 2018 and 28th March 2019.

Data breaches suffered by the global hotel chain took place between 2014 and 2018. Among data exposed were birth dates, passport details, emails, payment card information and travel data.

Following Marriott’s notification of the incident to the KVKK, a review board found that 1.24 million Marriott customers (of the approximately 383 million customer records lost) lived in Turkey.

Due to the manner in which the customer data was stored, Turkish officials have not yet been able to put a precise figure on the number of the country’s victims. The review board also accused Marriott International of failing to conduct necessary inspections and cyber security audits over the four-year course of the record-breaking data breach.

The board has also imposed an administrative fine of TL 550,000 on Hong Kong’s Cathay Pacific airline following a data breach which compromised the private data of 1,286 Turkish nationals.

On 7th May 2018, engineers at the global carrier flagged up suspicious computer activity which was eventually traced to a cyber-attack that had taken place on 13th March the previous year.

Among the data exposed were names, nationalities, phone numbers, birth dates and email addresses, while 155 people also had passport details exposed. The KVKK has also opened an official probe into the notification of Cathay Pacific’s data breach.


We’re now live at PrivSec Global!
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Register your virtual seat today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

Secure your seat

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.