The UK’s data privacy regulator has said it plans to fine the US hotel group Marriott International £99.2m. The penalty relates to a data breach that resulted in about 339 million guests having had their personal details exposed. The incident is thought to date back to 2014 but was only discovered in 2018. It comes a day after the Information Commissioner’s Office (ICO) said it planned to fine British Airways £183m over a separate breach. The size of both penalties reflects the fact that the watchdog has greater powers as a result of the EU’s General Data Protection Regulation (GDPR), which came into force last year.
The Marriott data breach included 30 million guest records belonging to Europeans. It occurred within Starwood – a rival hotel group that Marriott acquired three years ago. The compromised guest reservation system has since been phased out. Marriott International’s president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.” The ICO said that Marriott had failed to properly review Starwood’s data practices and should have done more to secure its systems.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” Security company CyberInt’s lead researcher Jason Hill said: “The draconian fines.. are a wake-up call to all organisations, big and small.”
“Although this may come as a blow to a company such as BA or Marriott, they are robust enough to weather the storm. A smaller organisation suffering a serious breach could find itself overwhelmed by any penalty which, when combined with the loss of consumer confidence and the associated reputational damage -with devastating consequences for its business.”