The Information Commissioner’s Office (ICO) – UK’s data privacy watchdog – has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure.
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership number.
The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).
According to the ICO, the investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 March 2018, when new rules under the GDPR came into effect.
Also, because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
The ICO acknowledged that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.