Marriott group facing £99 million fine
Hotel group Marriott International are set to be fined just over £99m after it left the personal information of up to half a billion guests exposed to hackers.
The Information Commissioner’s Office (ICO) announced the mammoth fine under the tough new General Data Protection Regulation (GDPR).
This is the second major fine issued in the past week by the UK for failing to protect data under Europe’s tough new privacy rules.
The news of the Marriott fine came just a day after the4 ICO said it planned to fine British Airways a record £183m fine for a similar breach.
Regulators now have strict powers to impose fines of up to 4 per cent of global revenues for poor data practices.
Data stolen by hackers included guests’ name, home address, telephone number, passport number, reservation numbers, date of birth and other identifying information.
Encrypted credit card numbers were also stolen during the attack.
In November, Marriott International, the parent company of hotel chains including W, Westin, Le Méridien and Sheraton, admitted that personal data stolen in a targated global hack of guest records.
The hotel chain said it would appeal against the fine.
Marriott International’s chief executive, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
The ICO said that unauthorised access by hackers into the systems of the Starwood Hotels group began in 2014, two years before it was acquired by Marriott.
The Marriott data breach exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach.
The ICO’s investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
The regulator said its notice of intent meant that the company and other EU data protection authorities whose residents have been affected will have an opportunity to comment over the next 16 weeks, before a final decision is taken.
The fines against two major companies come as little surprise. Since GDPR came into force last year, the ICO has been waiting to flex its new muscles.
These fines clearly now send a strong message to other organisations to get their own house in order with GDPR and are left in no doubt that the ICO means business.
It’s worth remembering as well that it’s the public shaming and damage to reputation of these big companies that might now make organisations of all sizes sit up and take notice of whether they are fully GDPR compliant or not.