We’ve got another cyber attack being reported, this time for Marriott International and its Starwood business to the tune of up to 500 million guests. This puts it around the third worst attack in recent history. What will make this latest compromise even more noteworthy is it’s being one of the larger attacks since the European Union’s General Data Protection Regulation privacy law took effect in May. That’s a new development that Marriott and others will need to contend with, which could result not only in fines but also drive a pronounced pick up in cybersecurity spending. In thematic speak, that’s a potential tailwind for our Safety & Security investing theme.
Marriott International Inc. on Friday disclosed one of the biggest data breaches in history, a hack in the reservation database for its Starwood properties that may have exposed the personal information of up to 500 million guests.
News of the attack—rivaled only by the theft of information in 2013 and 2014 from internet company Yahoo—roiled customers of the world’s largest hotel company and lowered its stock price.
In addition to the size of the Marriott exposure, security analysts say the range of customer data potentially compromised—such as passport numbers, travel details and payment-card data—make the breach even more sensitive. Numerous regulators in the U.S. and abroad said they are monitoring the situation.
Marriott will face scrutiny from regulators, particularly in Europe where the European Union’s General Data Protection Regulation privacy law took effect in May, said Travis LeBlanc, a partner with Boies Schiller Flexner LLP. Although the Starwood breach predates GDPR, Mr. LeBlanc said because the unauthorized activity continued after the law went into effect, the incident would likely be subject to it.
Britain’s Information Commissioner’s Office, which can fine companies for failing to protect customers’ personal data, also is investigating. This year, the office fined major companies including Facebook Inc. and Uber Technologies Inc. for mishandling data.
The Marriott hack joins a list of breaches to hit the hospitality industry in recent years. Security analysts say the industry is a ripe target for criminal actors because of the wealth of financial and other information flowing through payment and reservation systems. It also is a highly fragmented business, in which large companies such as Marriott and Hilton Worldwide Holdings Inc. largely license their brands to property owners who manage the hotels.