Business leaders have been put on notice by the Information Commissioner’s Office (ICO), which today said it intends to fine Marriott International over £99.2 million under the General Data Protection Regulation (GDPR) for a 2018 data breach.
The fine is only the second to be issued under GDPR rules, which came into force on 25 May 2018. It is the second substantial proposed GDPR fine in just two days.
British Airways was the first to face a potential hit this week. It was warned by the ICO that it faces a £183.39 million fine for failing to protect customers’ financial and personal data following last year’s Magecart-style attack on its website.
Both companies have the opportunity to contest the sums.
Information Commissioner Elizabeth Denham commented in an ICO statement: “GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The Marriott/Starwood data breach occurred in November of 2018 when Marriott was alerted by an internal security tool that someone had tried to illegally access the guest reservation database of its Starwood customers. Starwood was a separate hotel chain before its acquisition by Marriott International in 2016.
Marriott subsequently discovered that there had been unauthorised access to the Starwood database as far back as 2014.
Marriott International’s President and CEO, Arne Sorenson commented: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The Marriott statement also noted that: “Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position.”
Marriott International’s full year reported net income for 2018 totaled $1.9 billion.
Marriott Fined After Lengthy Investigation
Following an investigation by the ICO they concluded that Marriott had failed to ‘undertake sufficient due diligence’ when it acquired Starwood to secure and report any breaches with its IT systems.
Approximately 339 million guest records were exposed in the incident of which 30 million belonged to EU residents, seven million UK residents were effected by data breach. The information copied by the hacker included some combination of name, mailing address, phone number, email address and passport numbers.
The ICO has acted as the lead supervisory authority on behalf of the other EU member states who had residents effected by this data breach.
Information Commissioner Elizabeth Denham wrote that: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Tony Pepper, the CEO of UK-based data protection specialist Egress, said in an emailed comment: “The scale of both fines can leave no doubt in anyone’s mind that we’re now operating under very different standards than when the Data Protection Act was enforced. If it wasn’t clear before, it certainly is now: there can be no hiding place for organisations that fail to adequately protect customer data. If the BA announcement felt like the tip of the GDPR iceberg, the Marriott one has started to show how deep this problem really goes – and what the ICO is willing to do to get to the bottom of it.”