On September 29, 2022, the Office of the Privacy Commissioner of Canada (the OPC) published the results of its investigation into the 2018 data breach involving Marriott International, Inc. (Marriott), finding many of the hotel giant’s privacy controls inadequate and recommending remedial steps to prevent future breaches.
Marriott announced that it experienced a data breach involving the unauthorized access of a Starwood Hotels (Starwood) database on November 30, 2018, as previously reported by the E-TIPS® Newsletter here. Starwood is a separate hospitality company that was acquired by Marriott in 2016, with the unauthorized access reportedly starting before the acquisition (i.e., spanning from 2014 to 2018). The threat actor reportedly obtained access to personal information contained in up to 12.8 million records where the country-of-residence information was listed as Canada. These records included information on guest profiles and contact details, guest reservations, passport details, and encrypted payment card information.
The incident prompted the OPC to launch an investigation into Marriott’s primary operating company for Canadian hotels, Luxury Hotels International of Canada, ULC. During the investigation, the OPC considered the following key issues:
In concluding its report, the OPC acknowledged the remedial steps carried out by Marriott, such as the decommissioning of the Starwood database in December 2018. It also recommended implementing further action to ensure compliance, including having Marriott (i) retain an independent assessor to review any enhancements it has made to its systems; and (ii) review its organizational and governance measures as it relates to selected privacy practices. With both recommendations, the OPC requested that Marriott submit reports detailing their findings and proposed timelines for addressing any action items arising from the reviews.
Summary By: Imtiaz Karamat
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.