The Radisson Hotel Group has experienced a data breach impacting members of the firm's loyalty and rewards scheme.
The chain accounts for over 1,400 hotels in over 70 countries and includes the Park Plaza brand, Country Inn & Suites, Park Inn, and Radisson Collection.
Radisson Rewards members were directly informed on October 30 and 31 that a security incident was discovered on the first of the month which may have involved the leak of personal information.
A "security incident" which impacted a "small percentage of Radisson Rewards members" took place weeks before, on September 11.
Information including names, physical addresses, countries of residence, email addresses, and some company names, telephone numbers, frequent flyer numbers, and Radisson Rewards member numbers were compromised.
The hotel chain says that no financial data or passwords were involved in the breach.
Radisson Hotel Group has not revealed how many members of the loyalty scheme have been affected, beyond the figure of "less than 10 percent."
TechRepublic: Why data security is a priority for political campaigns
The hotel chain's advisory suggests that potentially employee accounts, which had permission to access this data, were at fault and fraudulently accessed by an attacker.
"Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person(s)," the company said. "All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior."
"Radisson Rewards takes this incident very seriously and is conducting an ongoing extensive investigation into the incident to help prevent data privacy incidents from happening again in the future," the company added.
The incident may not be so quickly forgotten, however. The hotel chain is headquartered in Brussels, Belgium, and so is held under the European General Data Protection Regulation (GDPR), which was formally launched on May 25.
GDPR requires companies which suffer a data breach to report the incident within 72 hours of an organization becoming made aware of it. Should regulators choose to investigate and find security wanting, organizations can be fined up to 10 million euros or four percent of the company's annual global turnover, whichever is higher.
Radisson Hotel Group confirmed to ZDNet that "upon discovering the data incident, Radisson Hotel Group promptly informed EU regulators of the situation."
Since the launch of GDPR, the UK's Information Commissioner's Office (ICO) has received an average of 500 calls a week in relation to security incidents.
Speaking to The Register, the UK's Information Commissioner's Office (ICO) said:
"All organizations processing personal data should do so safely and securely. If anyone has concerns about how their data has been handled, they can report these concerns to us and we can look into the details."