When Marriott International revealed a massive security breach at Starwood-branded properties, it joined an unfortunate long line of guest data breaches by hoteliers.
The scope of the breach at the worlds largest hotel group is more spectacular than any other in travel to date. Marriott said the breach affected hundreds of millions of customers who stayed at Starwood-branded properties between 2014 and September 10.
The breach may also expose parent company, Marriott, to record fines because, unlike most past breaches, some of the activity appeared to happen after Europe put into place General Data Protection Regulation (GDPR) in May 2018 that boosts fines for violations of some types of data security.
Exact fine estimates are impossible to gauge, but experts said the prospective range would be potentially higher than the spectrum used by European Union and U.S. officials in the past. European officials have the discretion to fine companies up to 4 percent of annual revenue in the year preceding a data protection incident.
Other investigations are in the offing. On Friday, the New York attorney generals office said it would open an investigation into the breach.
That office has had success in pursuing prosecutions before. In 2017, Hilton Worldwide agreed to pay a $700,000 fine to the state of New York after data security failures exposed more than 350,000 credit card numbers in two breaches in 2015.