The breach totals in our data set have decreased from last year, primarily due to a lack of POS vendor incidents that have led to numerous organizations being compromised with stolen partner credentials.
Top 3 patterns– Point of Sale intrusions, Web applications and Crimeware patterns represent 93% of all data breaches within Accommodation
Threat actors– External (95%), Internal (5%) (breaches)
Actor motives– Financial (100%) (breaches)
Data compromised– Payment (77%), Credentials (25%), Internal (19%) (breaches)
Illustrative breaches
- Dunkin’ Donuts
- Huddle House
- Marriott International
- Choice Hotels
- EatStreet
- Doordash
- Checkers
- Hyatt Hotels
- Applebee’s
- Earl Enterprises
- Graeters Ice Cream
- Coffee Meets Bagel
- Zomato
- Royal Yachting Association (RYA)
- Happy Hotel
- MGM Resorts International
- Crew and Concierge Limited
- Princess Cruises
- Norwegian Cruise Line
- Landry’s
- Carnival Cruise Lines
- CouchSurfing
- Airbnb
- Cache Creek Casino Resort
- Boyne Resorts
- booking.com
- Expedia
- Marriott
- MGM Resorts
- The Ritz, London
- FireEye
- AB Staffing Solutions
- Domino’s
- McDonald’s
- Carnival Cruise
- McDonald’s
- Dotty’s
- Harbour Plaza Hotel Management Limited
Data breach – maximum fines and damages
- Marriott International: International hotel chain Marriott International has suffered data breach compromising personal data of 5.2 million guests around the world. This is the third incident of data breach that the hotel chain suffered. It is alleged that the exposed data includes names, addresses, date of birth, gender, email addresses and telephone numbers, employer name, room stay preferences and loyalty account numbers.
- DoorDash: DoorDash, a food delivery service, confirmed a data breach through a third party vendor, exposing the information of 4.9 million customers, delivery workers and merchants. The leaked data includes names, delivery addresses, phone numbers, hashed passwords, order history, last four digits of both customers’ credit cards and employee bank account number. The driver’s license information of 100,000 delivery drivers were also disclosed.
- Hyatt Hotels: Hyatt Hotels has been the target of cyber attacks on numerous occasions already. The first case was in 2015, but the bigger damage was done during a data breach in 2017. According to the company, the incident lasted for more than three months, from March 18 to July 2. What’s more, it affected 41 of its properties across 11 countries. The stolen data came from payment cards and included names, card numbers, and CVCs. Since it was the second time a major breach had happened, Hyatt Hotels went under public scrutiny, which affected its stocks and overall reputation worldwide.
Enforcements
| Name | Fine | Authority |
| Marriott International Inc | EUR 9,92,00,396 | Information Commissioner |
| Delivery Hero | EUR 1,95,407 | Data Protection Authority of Berlin |
| Louis Travel Ltd. | EUR 10,000 | Cyprian Data Protection Commissioner |
| Gesthotel Activos Balagares | EUR 15,000 | Spanish Data Protection Authority |
| Arp Hansen Hotel Group A/S | EUR 147,800 | Danish Data Protection Authority |
| Marriott International, Inc. | EUR 20,450,000 | Information Commissioner Office (ICO) |
| Foodinho | EUR 2.6 million | Italian Data Protection Authority (Garante) |
| AMPUDIA DIAZ, S.L. | EUR 1500 | Spanish Data Protection Authority |
| APARTAMENTOS PLAYA DE COVACHOS, S.L. | EUR 1000 | Spanish Data Protection Authority |
