GDPR May Add Up To $8.8B Marriott’s Data Breach Expenses
Marriott data breach is a developing story that will give more news in the next days: ASSOCIATED PRESS
Marriott data breach is under investigation in several countries, where the hotel and resorts giant has a presence. In the E.U., Information Commissioner’s Office (ICO) leads the investigation. It is the UK independent body set up to uphold information rights. Local authorities of each country are interested to participate as 'supervisory authorities' in the cooperative framework of GDPR. According to ICO as the investigation is at an early stage no official attribution has been made. Given that the global annual revenue of the company reached $22.89 billion in 2017 and the strictest fine could amount to 4% of it, the sanctions imposed by the E.U. could be translated to $8.8 billion. This will probably surpass the amount of $3.5 billion, analysts initially estimated some days after the incident went public. In addition, it is possible that some clients may take legal action against the company and claim damages which will elevate the cost of the breach even higher. In the worst case scenario if it is proved that the company was fully aware of the hacker attack well before it was revealed, then the Securities and Exchange Commission of the U.S. will pursue a prosecution against Marriott on the grounds of causing serious losses for its investors.
The exposure is smaller than initially estimated
On January 4, Marriott International issued a new announcement about the incident which determines the height of the damage. According to the latest report the attack involved 383 million guest records instead of 500 million initially estimated. Another clue is that 5.25 million unencrypted passport details were exposed in the breach together with 20.3 million encrypted passport numbers. As passports’ numbers may be used by criminals as an alternative form of identity, a number of affected customers, under certain conditions who will issue a new passport may be eligible for $100 compensation.
In the revised data breach notification there is no change concerning the number of breached payment cards, which amounts to 8.6 million encrypted cards of which some 354.000 were still active as of September 2018 which raises the possibilities for criminal use by unauthorized third party. Given that the data breach started in 2014 it is possible that some of the expired payment cards have been used in the past.
Marriott tries everything in its power to avoid the worst
Trying to help its customers and avoid the full fury of the E.U. privacy regulator plus the heavy financial implications involved, Marriott has taken some generous steps, such as offering compensation to breach victims for passport replacement, moreover, there is a special call centre and an informative web page giving answers to all the possible questions of guests affected and lastly what sounds as a sigh relief is the fact that a big part of data was encrypted and therefore more difficult to be hacked.
In the aftermath, we consider there are very few possibilities that Marriott will receive the maximum penalty unless it is proved that there was no instant notification of the issue to the supervisory authority. Marriott data breach was the first that made headlines after GDPR came into effect last May, but it is not the only one reported. There are more than 200 intrusion incidents, being probed into, that call for cross borders cooperation. Some of them concern sensitive personal data breaches. Via Forbes
Facebook faces billion-euro fine as Irish data protection commissioner opens fresh investigation into photo leak