As known, paragraph (5) of Article 12 of the Law on Protection of Personal Data No. 6698, with the title “Obligations Regarding the Data Security” stipulates that; “If the processed personal data are obtained by others through illegal methods, the data controller shall notify the relevant person and the Turkish Data Protection Board (“Board”) of this issue at the earliest time possible. If necessary, the Board may publish this issue on its website or announce in any other way it deems appropriate.”

According to the Public Announcement made by the Board, Marriott International, Inc. (the “Company”), which is a USA based hotel chain, has notified the Board of a data breach incident occurred including the Company and its subsidiaries on 04.12.2018.

Upon the evaluation carried out by the Board, the Board has rendered a decision with No. 2018/147 and dated 05.12.2018 to publish a notice regarding this data breach on its web page.

The Company has described the date and nature of the personal data breach the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned in the data breach notification letter received by the Board on 04.12.2018.

The Company has provided the Board the following information regarding the data breach in the notification letter, wherein they have stated that:

  • On 8 September 2018, the Company has received a security alert from the in-house security tool regarding the attempts of access to the Starwood guest reservation database,
  • During the investigation carried out, they have found out that there has been unauthorized access to the Starwood network since 2014,
  • The hackers have gained unauthorized access, copied the data and encrypted it,
  • The Company has decrypted the data on 19 November 2018 and found that the content was taken away from Starwood guest reservation database,
  • The personal data subject to breach concerns approximately 500 million guests, who had made a reservation at a Starwood facility on or before 20 September 2018,
  • The type of personal data subject to breach involves various combinations of the personal data including name-surname, mail address, telephone number, e-mail address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and check out information, reservation date and communication preferences of approximately 327 million out of these guests,
  • Among the personal data subject to breach were the credit card numbers, and expiry dates of the credit cards with which payments were made and which have been encrypted by Advanced Encryption Standard, however they could not declare whether these encryptions were decrypted or not, and
  • With this data breach the data controllers consisting of W Hotels, St. Regis, Sheraton Hotel & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels, and timeshare Starwood labelled facilities were affected.

The information given in this note are aimed only at providing information, and does not serve as a legal opinion under any circumstances.