The UK’s Information Commissioner Office (ICO) is planning to fine Marriott International £99m (€109.93m) for last year’s data breach. The proposed Marriott fine comes hot on the heels of a record-breaking GDPR fine of £183 million imposed by the ICO on British Airways for data breach.
In November last year, Marriott notified the ICO about a data breach in which the company said hackers stole the details of roughly 500 million hotel guests. Following a more extensive investigation this number was later scaled down by the hotel chain to 383 million. Among the data types stolen were unencrypted names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. The database, which the hackers had been accessing for four years before anyone noticed, was the Starwood Hotels chain’s guest reservation database, since it was decommissioned.
The breach was discovered in November last year, but it is believed the security vulnerability started when a reservation system of Starwood was compromised in 2014. Marriott acquired Starwood in 2016 but did not uncover the hack until two years later. It has since phased out the affected system.
According to the ICO its investigation found that Marriott did not take due diligence to carry out a review of Starwood’s security practices and should have done more to secure its systems. Approximately 339 million guest records were exposed by the breach, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA).
Information commissioner Elizabeth Denham commented: “The GDPR General Data Protection Regulation: a new and more stringent EU regime for data protection, makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”.
The ICO has put on notice to Mariott’s concerned authorities to discuss the findings and proposed sanctions. The ICO said it would consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.