The breach totals in our data set have decreased from last year, primarily due to a lack of POS vendor incidents that have led to numerous organizations being compromised with stolen partner credentials.

Top 3 patterns– Point of Sale intrusions, Web applications and Crimeware patterns represent 93% of all data breaches within Accommodation

Threat actors– External (95%), Internal (5%) (breaches)

Actor motives– Financial (100%) (breaches)

Data compromised– Payment (77%), Credentials (25%), Internal (19%) (breaches)

Illustrative breaches

  • Dunkin’ Donuts
  • Huddle House
  • Marriott International
  • Choice Hotels
  • EatStreet
  • Doordash
  • Checkers
  • Hyatt Hotels
  • Applebee’s
  • Earl Enterprises
  • Graeters Ice Cream
  • Coffee Meets Bagel
  • Zomato
  • Royal Yachting Association (RYA)
  • Happy Hotel
  • MGM Resorts International
  • Crew and Concierge Limited
  • Princess Cruises
  • Norwegian Cruise Line
  • Landry’s
  • Carnival Cruise Lines
  • CouchSurfing
  • Airbnb
  • Cache Creek Casino Resort
  • Boyne Resorts
  • Expedia
  • Marriott         
  • MGM Resorts            
  • The Ritz, London       
  • FireEye  
  • AB Staffing Solutions
  • Domino’s
  • McDonald’s
  • Carnival Cruise
  • McDonald’s
  • Dotty’s
  • Harbour Plaza Hotel Management Limited

Data breach – maximum fines and damages

  • Marriott International: International hotel chain Marriott International has suffered data breach compromising personal data of 5.2 million guests around the world. This is the third incident of data breach that the hotel chain suffered. It is alleged that the exposed data includes names, addresses, date of birth, gender, email addresses and telephone numbers, employer name, room stay preferences and loyalty account numbers.
  • DoorDash: DoorDash, a food delivery service, confirmed a data breach through a third party vendor, exposing the information of 4.9 million customers, delivery workers and merchants. The leaked data includes names, delivery addresses, phone numbers, hashed passwords, order history, last four digits of both customers’ credit cards and employee bank account number. The driver’s license information of 100,000 delivery drivers were also disclosed.
  • Hyatt Hotels: Hyatt Hotels has been the target of cyber attacks on numerous occasions already. The first case was in 2015, but the bigger damage was done during a data breach in 2017. According to the company, the incident lasted for more than three months, from March 18 to July 2. What’s more, it affected 41 of its properties across 11 countries. The stolen data came from payment cards and included names, card numbers, and CVCs. Since it was the second time a major breach had happened, Hyatt Hotels went under public scrutiny, which affected its stocks and overall reputation worldwide.


Marriott International IncEUR 9,92,00,396Information Commissioner
Delivery HeroEUR 1,95,407Data Protection Authority of Berlin
Louis Travel Ltd.EUR 10,000Cyprian Data Protection Commissioner
Gesthotel Activos BalagaresEUR 15,000Spanish Data Protection Authority
Arp Hansen Hotel Group A/SEUR 147,800Danish Data Protection Authority
Marriott International, Inc.EUR 20,450,000Information Commissioner Office
Foodinho EUR 2.6 million Italian Data Protection Authority (Garante)
AMPUDIA DIAZ, S.L.EUR 1500Spanish Data Protection Authority
APARTAMENTOS PLAYA DE COVACHOS, S.L.EUR 1000Spanish Data Protection Authority