The UK GDPR supervisory authority, the Information Commissioner’s Office (ICO), has issued a notice of intent to fine Marriott £99,200,396 over the massive 4-year data breach that was reported in 2018.
This is the second major GDPR fine to be announced by ICO in the past few days. Earlier this week, ICO announced its intent to fine British Airways £183 million for the lack of security protections that contributed to its 500-million record breach.
The ICO was notified by Marriott in November 2018 that it had experienced a cyberattack that exposed the personal data of approximately 339 million guests, 30 million of whom were from countries in the European Economic Area (EEA). Individuals in 31 EEA countries were affected and had their sensitive personal information exposed.
A vulnerability had not been addressed in the systems of the Starwood Hotels Group which Marriott acquired in 2016. That vulnerability had allowed a third party to gain access to the system in 2014 and the vulnerability remained unaddressed until 2018. ICO determined that Marriott had failed to undertake a sufficient level of due diligence when it acquired Starwood Hotels Group and should have taken greater care to secure its systems.
Marriott cooperated with the ICO investigation and has already voluntarily made several changes to improve security and cybersecurity protections will continue to be improved.
Since the breach affected multiple countries, ICO took on the role of lead supervisory authority and investigated on behalf of other EU member states.
Marriott is not being fined for the breach itself. The fine is for security failures that allowed the breach to continue undetected for two years and the failure to conduct appropriate due diligence.
The fine is substantial but just a tiny fraction of the maximum possible fine of 4% of global annual turnover. For Marriott, the fine represents just 0.006% of its turnover for 2017.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” said Information Commissioner Elizabeth Denham.
Marriott now has 28 days to appeal and make representations to the ICO on its findings and the sanction it intends to apply.