15 Jul

Marriott group facing £99 million fine

Hotel group Marriott International are set to be fined just over £99m after it left the personal information of up to half a billion guests exposed to hackers.

The Information Commissioner’s Office (ICO) announced the mammoth fine under the tough new General Data Protection Regulation (GDPR).

This is the second major fine issued in the past week by the UK for failing to protect data under Europe’s tough new privacy rules.

The news of the Marriott fine came just a day after the4 ICO said it planned to fine British Airways a record £183m fine for a similar breach.

Fines

Regulators now have strict powers to impose fines of up to 4 per cent of global revenues for poor data practices.

Data stolen by hackers included guests’ name, home address, telephone number, passport number, reservation numbers, date of birth and other identifying information.

Encrypted credit card numbers were also stolen during the attack.

In November, Marriott International, the parent company of hotel chains including W, Westin, Le Méridien and Sheraton, admitted that personal data stolen in a targated global hack of guest records.

The hotel chain said it would appeal against the fine.

Marriott International’s chief executive, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”

Hackers

The ICO said that unauthorised access by hackers into the systems of the Starwood Hotels group began in 2014, two years before it was acquired by Marriott.

The Marriott data breach exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach.

The ICO’s investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

The regulator said its notice of intent meant that the company and other EU data protection authorities whose residents have been affected will have an opportunity to comment over the next 16 weeks, before a final decision is taken.

The fines against two major companies come as little surprise. Since GDPR came into force last year, the ICO has been waiting to flex its new muscles.

Reputation

These fines clearly now send a strong message to other organisations to get their own house in order with GDPR and are left in no doubt that the ICO means business.

It’s worth remembering as well that it’s the public shaming and damage to reputation of these big companies that might now make organisations of all sizes sit up and take notice of whether they are fully GDPR compliant or not.

 

BENEFITS

  • Feature
    No set up fee
  • Feature
    Maintain compliance
  • Feature
    Save time and resources
  • Feature
    Certified GDPR experts
  • Feature
    Protect your reputation
  • Feature
    Protect your business
THE COMBINATION OF GDPR CERTIFIED SPECIALISTS AND COMPLIANCE EXPERTS, BACKED BY OUR PROPRIETARY iCaaS SOFTWARE PLATFORM DELIVERS THE MOST EFFECTIVE GDPR COMPLIANCE, ANYWHERE.
Photo

Get in
Touch

ADDRESS

4 Elmwood, Chineham Park,
Basingstoke, RG24 8WG

CONNECT WITH US