Hotel Fined For Breakfast List Data Breach

Filed Under: Hotels

In the past couple of days I’ve written about how both British Airways and Marriott are facing nine figure fines for GDPR violations related to their data breaches. These fines can be up to 4% of a company’s annual revenue, so the fines have the potential to be massive.

While not nearly as big, @Dailybits and @fotograaf point to another very interesting hotel data breach. This time we’re not talking about a fine of tens of millions of GBP, and we’re not talking about something that impacted tens of millions of people.

Rather we’re talking about a hotel breakfast. The GDPR enforcement tracker shows a July 2 fine against the World Trade Center Bucharest (which has a Pullman hotel) in the amount of 15,000 Euros. The breach? A list containing the names of 46 guests who were entitled to breakfast at the hotel was photographed by an unauthorized party. Here’s the summary of the incident:

The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.

It’s said that the hotel didn’t implement adequate technical and organizational measures to ensure a level of security that’s appropriate.

I totally agree that this hotel didn’t do enough to protect customer data, though am I the only one who feels like this is totally commonplace? Like, I consistently think hotels don’t do enough to protect guests data.

For example, I can’t count the number of times I’ve seen the guest list at the host stand at breakfast, or the number of times I’ve seen a list of guests on a housekeeping cart. Similarly, some hotel gyms make you sign your name and room number on a list that everyone can see, which also seems like a huge violation.

I absolutely think hotels need to do better than this to protect customer data, though if this is worthy of a fine, I feel like a vast majority of hotels have a fine like this coming their way.

What am I missing?

  1. You’re not missing anything. Hotels and other similar businesses in the service industry are flippant with PII. Hopefully after seeing these “smaller” (non fortune-500) fines they industry takes a cue and starts trending in the right direction.

  2. It’s stupid. Where ist this all supposed to go? I’ve just been at a desk and I’ve been told that they can’t call me by name because of GDPR. They now have to hand out numbers. Sorry, but that is totally absurd and I don’t want to live in a world like this. But on the other hand, my government forces my to tell the whole wide world where I live, my pone number, just because I habe a website.

  3. The fact that it might be commonplace does not mean that it’s also good. Hopefully this will increase awareness everywhere.

  4. I’m with @Betty. A list of restaurant customers??? Who cares??? It’s not like a list of people who have herpes. It’s just a restaurant. It doesn’t need to be protected like some national secret. People need to chill out.

    @Lucky, how is the fact that you used the gym at the hotel a “huge violation”? Of what consequence is that fact to anyone? Maybe if you’re a celebrity you want to put down a fake name just so you’re not hassled by any other guests who come in after you, but for normal people, what difference does this make?

  5. Someone enlighten me please. A breakfast list for guests should only have the name of the person and their room number, and not their credit card information or any other personal information. How is this considered a violation? What damage can be done if someone takes a picture of my name and room number?

  6. We need to stop assuming that “small breeches” can be ignored. They can’t. These fines will finally get these corporates to wake up and the executive boards to stop being so complacent

  7. Name and room number on a list can be an issue because then thieves can find out if you’re onsite simply by using the house phone and asking for you. I actually thought about this the last time a hostess at breakfast drew a line through my name and room number on a list like that, to show that I had already been admitted.

  8. @[email protected]

    “Shakedown policies of the EU”

    That makes absolutely zero sense. The legislation is EU law, operating across the EU.

    But it is national governments, not the EU, which are responsible for implementation AND WHICH RECEIVE ANY FINES.

    The UK is very hot on data protection, and the relevant government agency – the ICO – is efficient and effective. Note that they don’t receive any of the fines either.

  9. How about issuing numbers at the dr.’s office? Isn’t a breach of confidentiality to call out patients’ names in front of everyone in the waiting room?

  10. @ Billiken

    It’s only a breach if they are using your data in a way for which you have not given permission, or which a reasonable person would not expect.

    Most of us expect our name to be called out at the Doctor’s office. Therefore there’s no breach (unless you had specifically agreed with them that your name would not be used like that. Though you might then be waiting for a long time…).

    I guess pretty soon we’ll have someone describe this as “political correctness gone mad”, probably based on a fake story to illustrate the point.

  11. These regulations are verry… broad. I work in tax collection, so can basicly see everything about everyone. But oh no, got to keep that email inbox empty because of personal data I’m not allowed to store…

  12. I hope they don’t take down these lists. It can often be used to get free breakfast when the reservation doesn’t include it.

  13. More ridiculous bureaucracy that punishes businesses and their customers (more hassles, less perks, higher room rates) for doing nothing wrong. Why are the people who steal these lists, access them illegally or hack never fined but these companies are. If someone walks behind a front desk and sees the list the hotel would be fined according to the logic of the regulator. It’s absurd.

  14. I was in a hotel in Manchester, UK over the weekend. The list of customers having breakfast that was included in the room rate was inside a folder and only opened when a guest needed to be checked against the list when they entered the restaurant area

    The list at a hotel in Amsterdam last month (owned by a US chain) was held behind a desk which was very difficult for anyone to over look and also in a folder.

    Simple, cheap measures to protect personal data. And easily replicated by any other hotel.

    How much does a folder cost – €5?

  15. I work at a hospital. I’m beginning to think everyone should be issued a mask and a code name before they arrive. The privacy thing has just gotten ridiculous.
    Remember the old days when they published hospital admissions in the local paper? And everyone knew their neighbors .. and cared about them?

  16. GDPR is a big issue and EU is trying to keep our data safe.

    Is it overkill? Yes
    Are people trying to get our personal data? Yes

    There will not be perfect solution and is a matter of adapting to new regulations that will make this event risible in a few years.

  17. I don’t think this is overkill. I work with PII a lot and I can think of several ways a list of names and room numbers could be misused, even without any other PII.

    Hotels should be more careful, not least because the first and easiest thing a miscreant could do would be to charge something to the room of someone on the list; a direct loss to the hotel.

    GDPR is actually some pretty good legislation and hopefully this first round of fines will encourage companies to take data protection seriously.

  18. I’m in the over the top camp on this one.

    Don’t get me wrong, hotels really do need to up there game on IT, especially the ‘legacy’ chains. There is no reason they shouldn’t have an electronic breakfast list in this day in age, needing only a room number or tap of the room key or loyalty card to cross you off the list.

    That said though, if Europe wants to go off on a tangent with this kind of nonsense that’s fine. Although given these costs are basically always passed onto consumers in one way or another the companies subject to this kind of compliance should charge a ‘Europe Levy’ to EU / EEA customers so the rest of us around the world that don’t care to be subject to EU rule from afar don’t have to wear the financial consequences.

    I’ll take any government agency in charge of enforcing data rules seriously when the government actually leads the way and stops breaches and handles information properly. I suspect I’ll be waiting a while.

  19. How many times have you seen a flight manifest lying around a galley? I don’t see it as often now but it does occur.

    In addition, I’m CX Diamond and on 100% of my CX flights there is a post it note in the nearest galley with my full name and seat number listed. Not the biggest violation…but still.

  20. @ Nicholas Wall

    “the rest of us around the world that don’t care to be subject to EU rule from afar”

    An extraordinarily ironic post to a US-based blog.

    The US, the land of extra-territorial sanctions against any company which has the audacity to do business with, say, Cuba…

    So what about those of us who don’t care to be subject to US rule from afar? Or is that somehow different…?

  21. If a hotel can be so sloppy with names/room numbers on a breakfast list, I can only imagine how bad they are about keeping my other information secure.

    It’s sad how Facebook and its creepy tracking measures have changed everyone’s level of tolerance of personal privacy.

    Glad to see the EU step up GDPR violation enforcement!

  22. Ok, this is completely bonkers. I also agree with Betty… I don’t want to live in a world like this.

  23. This happens at the Club Lounge of larger domestic Sheraton hotels too….
    In fact one property in particular LEAVES the list on the podium and at 10pm – it’s still there!
    SO one time I snagged it and checked it out – That’s how I was able to see the status classification codes. Not to mention arrival dates & departure dates, VIP’s, room numbers etc.

    This should be a training wakeup call for domestic and intl properties

  24. @ The nice Paul

    Quite different. If the USA says a company/country can do business with the USA or Cuba that really doesn’t impact me.

    When the EU decides to pursue some ambitious regime and tries to apply it around the globe by stealth and pushes up the prices of every day goods in the process it does have impact. When the EU proposes to break the internet and push out by stealth with their out those proposals to tax hyperlinks and ban memes as they did recently that impacts me.

    They are within their rights of course to pursue their GDPR regime within the EU. It might even be well intentioned (if not fundamentally flawed). Regardless, EU / EEA citizens should be the ones wearing the cost of it and be charged the “compliance surcharge” to deal with the drama it causes.

  25. What you’re missing is that nobody has thought to take this GDPR breach to the regulators before.

Leave a Reply

Your email address will not be published. Required fields are marked *