Marriott International, Inc. ("Marriott") on December 4, 2018 announced1that a major database security incident has occurred in Starwood Hotels and Resorts guest reservation database. The Starwood brands includes major hotels such as, among others, W Hotels and Sheraton Hotels & Resorts2. The news spread swiftly in the written and visual media and seriously affected the data subjects, whose private information such as name and credit card details were accessed by unauthorized persons. Since the breach involved all the hotels under the Starwood brand, it soon became one of the hot topics in lots of different media platforms in many countries.

Article 12/1 of the Turkish Personal Data Protection Law No. 6698 ("Law") states the data controller shall take all necessary technical and organizational measures to provide a sufficient level of security. This is to prevent unlawful processing of, and access to personal data. In addition, Article 12/5 of the Law obliges the data controller to notify the Data Protection Authority ("DPA") as well as data subjects in case personal data is acquired through unlawful means. As such, the DPA on December 12, 2018 announced that Marriott notified the DPA about the incident as well as the data subjects3.

The breach concerns approximately 500 million guests who made reservations to any Starwood facility between 2014 and September 20, 2018 worldwide. The data of 327 million of these guests contains private information such as name, phone number, e-mail address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. More importantly, some of the data includes credit card numbers and expiration dates. However, Marriott was not able to identify whether the credit cards have been used.

More detailed information may be reached from the Marriott's announcement: The website also provides Marriott's contact information for residents of various countries who are willing to receive more information regarding the incident. However, the website does not include any contact information for Turkish citizens who might have been affected by this breach.

This is the fourth time that the DPA published a data breach declaration on its website. The first three data breach declarations concern Careem Inc4, Cathay Pacific Airways Ltd.5 and Ticketmaster UK6. The main issue in these declarations were also data breaches concerning big numbers of data subjects and their personal data such as name, telephone number and even credit card information. Although the Law stipulates that the companies may be fined between TRY 15,000 – 1,000,000, the DPA has not imposed any administrative fines for any of the said security breaches.



2 All of Starwood brands are as follows: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana.





The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.