Hotel Fined For Breakfast List Data Breach

In the past couple of days I’ve written about how both British Airways and Marriott are facing nine figure fines for GDPR violations related to their data breaches. These fines can be up to 4% of a company’s annual revenue, so the fines have the potential to be massive.

While not nearly as big, @Dailybits and @fotograaf point to another very interesting hotel data breach. This time we’re not talking about a fine of tens of millions of GBP, and we’re not talking about something that impacted tens of millions of people.

Rather we’re talking about a hotel breakfast. The GDPR enforcement tracker shows a July 2 fine against the World Trade Center Bucharest (which has a Pullman hotel) in the amount of 15,000 Euros. The breach? A list containing the names of 46 guests who were entitled to breakfast at the hotel was photographed by an unauthorized party. Here’s the summary of the incident:

The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.

It’s said that the hotel didn’t implement adequate technical and organizational measures to ensure a level of security that’s appropriate.

I totally agree that this hotel didn’t do enough to protect customer data, though am I the only one who feels like this is totally commonplace? Like, I consistently think hotels don’t do enough to protect guests data.

For example, I can’t count the number of times I’ve seen the guest list at the host stand at breakfast, or the number of times I’ve seen a list of guests on a housekeeping cart. Similarly, some hotel gyms make you sign your name and room number on a list that everyone can see, which also seems like a huge violation.

I absolutely think hotels need to do better than this to protect customer data, though if this is worthy of a fine, I feel like a vast majority of hotels have a fine like this coming their way.

What am I missing?

Comments are closed.