The Radisson Hotel Group has experienced a data breach impacting members of the firm’s loyalty and rewards scheme in over 1,400 hotels in over 70 countries. Though, the Group claims that less than 10% members of the loyalty scheme have been affected.
Compromised information including names, physical addresses, countries of residence, email addresses, and some company names, telephone numbers, frequent flyer numbers. As well as Radisson Rewards members’ numbers.
The breach was discovered 20 days after it occurred. Impacted member accounts have been secured and flagged to monitor for any potential unauthorized behaviour. Radisson Hotel Group promptly informed EU regulators of the situation.
For now, Radisson Hotel Group might face up to 10mln EUR fine or 2% of global turnover. However, the full investigation needs to be performed to evaluate risks and actions that the company took to reduce the damage.
LEARNING TIP: Hospitality sector companies possess a lot of various information about their customers. Therefore, the first thing these companies should do is to review all data. Consent practices should exist in both newly created and already existing records. If some are missing, an update must be done. Companies, dealing with personal data in large-scale, should appoint a data protection officer (DPO) and carry out Data Protection Impact Assessment (DPIA). There are also additional requirements for data that is transferred outside EU.