Turkey has imposed an administrative fine of TL 1.5 million on U.S.-based Marriott International due to a five-year security breach of the giant hotel chain. The hotel's database has 1.2 million customer records from Turkey; however, the number of people affected by the security breach cannot be determined at the moment because of multiple entries for the same customer.
The Personal Data Protection Board (KVKK), which reviewed the statements submitted by Marriott International Inc. on Dec. 4, 2018 and March 28, 2019, decided to impose an administrative fine of TL 1.5 million on Marriott. In December 2018, cyberattackers seized data from nearly 500 million visitors staying at Marriott's Starwood group hotels. The security breaches between 2014 and 2018 also included a combination of birth date, passport, email and credit card information of those staying in the said hotels. The Marriott Group notified the KVKK on the subject under the Personal Data Protection Act in force in Turkey. After reviewing these notifications, the board announced that among the 383 million customer records, there are approximately 1.24 million Marriott customers residing in Turkey. However, it was also noted that the number of Turkish customers affected by the breach could not be determined precisely due to inaccurately stored customer information.
Stressing that there had been unauthorized access to the network where the hotel chain's database had been held since 2014 and that the breach lasted for four years until Nov. 19, 2018, the decision further indicated that the company had not carried out the necessary inspections and controls in this regard.
Hong Kong-based airline faces
penalty due to data breachThe Personal Data Protection Board has imposed an administrative fine of TL 550,000 on Hong Kong-based airline Cathay Pacific due to a data breach that affected 1,286 people from Turkey and compromised the passport numbers of 155 people.
While unauthorized access to Cathay Pacific's information systems, including passenger information, was recorded on March 13, 2018 as a result of a cyberattack, this situation was detected by the company on May 7, 2018.
Passenger information compromised due to the cyberattack included a combination of names, nationalities, phone numbers, dates of birth and e-mail addresses. The said breach affected 1,286 people from Turkey, while also compromising the passport numbers of 155 people.
The KVKK later initiated an investigation into Cathay Pacific's data breach notification.
The board concluded that Cathay Pacific had been informed of suspicious acts of the breach on March 13, 2018 but that the problem had been detected on May 7, 2018, approximately two months later.
Determining that this was a security breach and that the necessary audits and reviews were not carried out by the company, the board decided that the data security provisions of Article 12 of the Personal Data Protection Law had been violated.
The board found that the necessary administrative and technical measures required by the law to prevent data breaches were not taken and imposed an administrative fine of TL 450,000 on Cathay Pacific on the grounds that the data security obligations were not fulfilled. The board ruled that Cathay Pacific's notification of a cyberattack to the Personal Data Protection Board and those affected by the breach on Oct. 25, 2018 was in violation of its obligation to notify the parties in the shortest period specified in the law, and therefore imposed an administrative fine of TL 100,000.