Contrary to popular belief, the hospitality industry is an excellent target of cybercrime because of the sheer amount of personal and sensitive data held.
Every day, hotels, hostels, and restaurant chains handle credit cards, emails, contact preferences, home addresses, and other sensitive data from millions of customers, and hackers want to get their hands on that information.
A data breach can go undetected for quite a long time, as some of the cases below demonstrate, which would only increase the GDPR fine nowadays!
Here are 6 hospitality businesses who have recently faced data breach fines, and the cybercrime that caused them.
Back in 2014, Hilton hotels were a victim of a data breach, followed by another breach during 2015, which resulted in the data loss of over 360,000 customers. The data that was stolen held sensitive information like credit card numbers, names, addresses, and more.
The biggest issue is that Hilton failed to inform its customers about the breach in a timely manner. It took them ten months after they learned about the breach to inform their customers, resulting in a $700,000 fine for lack of adequate security and failing to inform customers about the breach. If this had happened recently, their fines would be much higher under GDPR – they would have to pay around $420 million.
Radisson Hotel Group faces fines under the newly adopted GDPR. The breach was discovered in 2018, with Radisson claiming to have promptly informed the EU regulators within the 72-hour timeline. It was detected in the Radisson Rewards database, and some members of their Rewards programs were compromised.
Apparently, no credit card or passwords were stolen. Stolen data included names, addresses, email addresses, company names, Rewards member numbers, and frequent flyer numbers. Still, the hotel chain might be facing a €10 million fine.
Even Trump hotels aren’t spared of data breaches. The hotel chain suffered a data breach back in 2014 when over 70,000 credit card numbers and other personal data were stolen via the payment processing system that was infected. The now president Trump agreed to cover the $50,000 fine that was issued because the hotel chain didn’t bother to inform their customers about the breach even though they knew about it for months.
Restaurant chain Wendy’s had to pay a hefty fine because of the data breach that happened in 2015 and 2016 when 1,025 POS systems used at their locations were infected with malware that led to a lot of stolen credit card info. It is reported that over 18 million cards were compromised in the breach.
Many of these cards were used to commit fraudulent online purchases, so Wendy’s had to face a class action lawsuit from affected financial institutions and consumers. Wendy’s reached a settlement that required them to pay $50 million by the end of 2019.
Zippy’s restaurant chain based in Hawaii suffered a data breach in November 2017 and first discovered the breach in March 2018. All cards used during that time might have been affected. The compromised information included credit card numbers, expiration dates, names, and security codes.
There is no information about how many customers were affected, but a class action lawsuit was filed against FCH Enterprises, the owner of Zippy’s Restaurant. It’s worth noting that not only the restaurant chain was affected, but other franchises held by FCH – Napoleon’s Bakery, Kahala Sushi, Pearl City Sushi, and Pomaika’i Ballrooms. FCH reached a settlement and agreed to pay $725,000.
Probably the case that got most traction is the large data breach that occurred with the Marriott hotel chain. Personal data and credit card details, even passport numbers and dates of birth of more than 500 million of their customers were stolen. The Marriott group includes hotel chains such as Sheraton, Westin, W, Le, Meridien.
The breach was first discovered in September 2018, while detailed investigation revealed ongoing unauthorized access dating back to 2014. While they did encrypt sensitive data such as credit card information, the group stated they cannot be sure that encryption keys were not stolen too.
The most concerning part is that this was ongoing for four years, meaning security monitoring profoundly failed. The fine: $3.5 billion dollars plus $915 million from ICO GDPR.
With the rising risk of data breach and come rising prices of fines, especially with the GDPR in place, make sure you protect your customers’ sensitive data to avoid fines and ensure your guests rest easy knowing their personal information is safe with you.