The UK’s Information Commissioner’s Office (ICO) has fined Marriott International £18.4 million for failing to secure the personal data of up to 339 million customers, 7 million of whom reside in the United Kingdom.
Marriott announced it has suffered a massive data breach in 2018; however, the initial breach occurred 4 years previously in 2014. Unknown individuals had gained access to the systems of Starwood Hotels and Resorts Worldwide Inc., which was acquired by Marriott international in 2015. Since the initial breach, the attackers had been copying, encrypting, and stealing customer data including names, phone numbers, email addresses, passport numbers, arrival and departure information, VIP status, and loyalty program membership numbers.
ICO investigated the breach and determined that Marriot had failed to implement appropriate safeguards to prevent customer data from being processed on its systems and, as such, had violated the requirements of the General Data Protection Regulation.
In July 2019, the ICO announced its intention to impose a £99 million financial penalty on the hotel chain to resolve the GDPR violations. The ICO considered representations from Marriott and the steps Marriott took to mitigate the effects of the data breach. The financial impact of the coronavirus pandemic on Marriott was also considered and the financial penalty was reduced by 82%. Since the GDPR only came into effect on May 25, 2018, the penalty only reflects the breach and GDPR compliance failures after that date. Marriott International has announced that it plans to appeal the financial penalty.
“Personal data is precious, and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” said information commissioner Elizabeth Denham. “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The ICO also recently reduced the £183 million GDPR financial penalty imposed on British Airways by 89%, requiring the airline to pay a penalty of £20 million for its data breach. The representations of the company and the impact of COVID-19 on the airline were also taken into consideration when determining the financial penalty.