October 19, 2020

Volume X, Number 293

October 16, 2020

Subscribe to Latest Legal News and Analysis

Marriot Hotel Reveals Further Details About Records Impacted by Data Breach; Revises Down Number of Affected Records

Late last year the Marriott Hotel announced that it had suffered a data breach, which affected approximately 500 million guests who made a hotel reservation using its Starwood reservation system. Details about the data breach can be found in our previous blog.

The Marriott has now advised that it believes as many as 383 million records were accessed in the data breach. While this number has been revised down from the initial assessment of 500 million records, the Marriott believes approximately 5.25 million unencrypted passport numbers, 20.3 million encrypted passport numbers and 8.6 million encrypted debit and credit card numbers were obtained by hackers. So far the Marriott believes the hackers have not gained access to the master encryption key needed to decrypt the encrypted passport numbers or payment card numbers.

It is not unusual for a company to revise the size of a data breach it has suffered after further investigations into the data breach have been completed. Nevertheless, 383 million records impacted by the breach is still a significant number, especially when some of those records contain unencrypted identity information. The Marriott has advised guests that it will put a process in place for guests to look up whether their passport number was one of the unencrypted passport numbers, which is worth checking once the process is up and running if you have received a notification from the Marriott about the breach.

Copyright 2020 K & L GatesNational Law Review, Volume IX, Number 9


About this Author

Warwick Andersen Technology Lawyer KL Gates

Mr. Andersen is a senior corporate lawyer with a focus on commercial, technology and sourcing projects. He has advised on large scale outsourcing projects, technology agreements for both vendors and customers, corporate support, privacy and telecommunications regulatory work. He has acted for government departments, large listed companies, telecommunications companies and technology suppliers.

Rob Pulham Corporate Attorney K&L Gates
Special Counsel

Rob Pulham is an experienced corporate advisory and transactional lawyer with an active technology and privacy practice representing companies in the energy, manufacturing, mining, retail, health and financial services sectors, as well as government and not for profit organisations. He has extensive experience advising customers and vendors in the technology industry, with particular focus on software licensing, data privacy and protection, and systems integration projects. In his role as a senior corporate lawyer, Mr. Pulham reviews organisational policies and practices regarding data privacy to identify key risks, develops and implements strategies to mitigate privacy and cybersecurity risks, and advises clients in the investigation of, and response to, data breaches.

Mr. Pulham also serves as a strategic advisor to his clients, regularly advising on large outsourcing and technology procurement matters including negotiating software licensing terms with ERP and CRM vendors such as Oracle, SAP and Salesforce, and on major systems integration transactions. He advises his clients on all facets of their technology practices, procurement and needs, including key technology procurement requirements and licensing issues (acting for both customer and service provider clients), marketing and advertising in compliance with Australian competition and consumer laws, website content and terms of use, and general commercial intellectual property and software licensing matters.

Keely O'Dowd, K&L Gates, attorney, Melbourne

Ms. O'Dowd is an experienced lawyer with a focus on technology and sourcing projects. She advises on a broad range of technology transactions, including procurement, outsourcing and software licensing. This work includes drafting and advising on a range of IT procurement and supply agreements. Ms. O'Dowd advises a range of corporations on privacy and cybersecurity.