The Information Commissioner’s Office (ICO) in the United Kingdom has approved an £18.4 million General Data Protection Regulation (GDPR) penalty for the Marriott hotel group for failing in the legal requirement to properly secure the private data of millions of its customers.
Though the GDPR penalty is extremely high it could be regarded as a generous move on behalf of ICO. This is due to the fact that, in July 2019, the data protection regulatory body had already notified the Marriott group management company Starwood Hotels and Resorts Worldwide that the potential fine could be up to €110m. However, in formulating the total figure extra considerations were made, along with representations made by Marriott and taking into account the financial impact of the COVID19 pandemic and the steps taken to stop a similar breach occurring going forward, resulting in a lower fine being sanctioned.
The GDPR penalty came about due to the cyber attack on Starwood Hotels and Resorts Worldwide databases in 2014 – a breach that went unnoticed until September 2018. This was after Marriott bought the Starwood group. ICO then took steps to conclude an official review which discovered that Marriott had not put in pace ‘appropriate measures’ to protect the personal data they were managing, a legal obligation under GDPR. The official investigation indicated that the breach dated back as far 2014, the penalty that was applied is only connected to events that took place after the go live date of GDPR, May 25 2018. The official audit found that the breach may have incorporated a range of private data such as names, email addresses, phone numbers, unencrypted passport details, arrival/departure data, guests’ VIP status and loyalty programme membership account numbers.
Approximately 339 million guest records globally were accessed in the breach. However there is a chance that duplicate copies of some of the information were impacted. It was also estimated that of this figure around 30 million of those who had their private data impacted are resident in the the EU,with seven million of those being resident in the UK.
Information Commissioner Elizabeth Denham released a statement which said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.” You can read the full ICO findings by clicking here.
The Marriott Corporate website included an official statement which said: “Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests. Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.” You can Marriott’s statement by clicking here.