Three things you need to know about 2018’s biggest reported data breach - the Marriott hack

Feb 2019 | Cyber Risk

In 2019 it is almost inevitable that data breaches will continue to increase as more and more companies report significant breaches. The theft of data from Marriott International's reservation database was one of the biggest data breaches reported in 2018, and is far from being resolved. Here are three things that you need to know about the breach.

1. The breach took around four years to discover

In September 2018 Marriott discovered that since 2014, its reservation database for its various hotel brands (including the W Hotels, Sheraton and Westin hotels) had been hacked by an unknown third party which had copied, encrypted, and stolen its guests’ personal information.

In addition to the usual names and contact details, the personal information worryingly included passport numbers and payment card numbers.

Because the hacker had encrypted the breached data, Marriott’s investigators were unable to easily establish the extent of the breach because the records had to first be unencrypted. Consequently, initial reports in November 2018 of the breach of over 500 million records were overstated.

In January 2019 Marriott corrected the overstatement, and announced that: 

  • Up to 383 million records were accessed with details of date of birth, gender, encrypted payment card numbers, contact details and passport numbers.
  • 5.25 million unencrypted passport numbers were accessed (over 100 million less than originally thought).
  • 20 million encrypted passport numbers were accessed, with no evidence that the master encryption key had been accessed.
  • 354,000 current encrypted payment information records were breached.

Unconfirmed reports have linked the breach to a Chinese spy agency, which could raise queries for the availability of insurance cover if the conduct could be said to be, for example, a hostile act by a government or its agent.   

2. Marriott’s reaction was good, but could have been better

After Marriott learned of the breach in September 2018 it:

  • Appointed investigators to assess the breach, which appears to be a quick response; although it took some months to ascertain the scope of the breach.
  • Issued a press release in November 2018 on its initial understanding of the extent of the breach, and provided an update on 4 January 2019 revising the numbers and providing further details. These releases were detailed, but commentators have been critical of the two month gap between the initial discovery and first public statement.
  • Established a dedicated website and call centre to allow people to check whether their details had been accessed, although there was some criticism that victims outside the US, UK and Canada were not getting the same level of assistance.
  • Provided affected guests with email notification of their involvement in the breach. However the email notification has been criticised by security experts because it was sent from ‘’ which apparently made the notification appear inauthentic and was said to be easily spoofable.
  • Offered free monitoring of personal information for one year. This is a good response, although significantly, does not appear to include credit monitoring, but merely the monitoring of personal data on public websites, chat rooms, and on the dark web where breached data is often dumped or sold.

3. The cost to Marriott will be huge

At the time of Marriott’s initial announcement that 500 million records had been breached, its share price dropped, however appeared to regain some ground when the revised figures were released in January 2019. Nevertheless the direct costs are continuing to accrue and will be much more significant and, could include:

  • investigation costs;
  • crisis management costs;
  • ID and credit monitoring costs including call centre costs;
  • costs of notifying individuals and regulatory bodies;
  • legal fees to ascertain regulatory obligations in numerous jurisdictions; and
  • fines issued by various privacy bodies in Europe, the US and the Asia Pacific. The EU fines can be up to 4% of annual turnover for the most serious of breaches, which, for Marriott, would reportedly equal a fine of over USD900 million.

In addition Marriott may face possible liability to affected guests. To date, at least two class actions have been filed in the US on the basis that Marriott failed to ensure the integrity of its servers and safeguard sensitive information. Further actions have also been foreshadowed. One of the filed actions seeks $12.5 billion in compensation. It is not clear what damage the class members are alleged to have suffered, and recent data breach settlements have been much lower, with Uber reportedly paying $148 million to settle a class action for a 2016 hack, while Yahoo’s proposed settlement of $50 million for a breach reportedly affecting 3 billion users was recently rejected by a US judge.


Data breaches continue to be an increasing risk, with unauthorised access to personal and sensitive information grabbing headlines around the world on a daily basis. In January alone in Australia, the Victorian Government announced a breach of 30,000 public servants’ contact details and the 'My Health Record' system which holds sensitive information, reported 42 data breaches in 2017-18.

Breaches often take time to detect, and a business’s response, if handled well, may assist in minimising losses. It is certainly clear that all businesses are vulnerable and steps should be taken to protect valuable data and intellectual property, as well as obtaining an appropriate level of insurance cover.

Please contact our cyber experts Katherine Hayes and Greg Stirling if we can be of assistance.