GDPR Fine of €123m for Marriott following Massive Data Breach

The Information Commissioner’s Office (ICO), the data authority in the United Kingdom, has revealed that it plans to sanction a $123,705,870 General Data Protection Regulation fine on the Marriott hotel group in relation to the 2018 data breach that saw the details of 339 million hotel guests compromised.

This is the second large fine to be revealed by ICO this week following Monday’s announcement that British Airways faces potential €200 million GDPR fine in relation to a data breach that also took place in 2018.

Marriott revealed, in November 2018, that cybercriminals had been accessing their Starwood guest reservation database since 2014. While it was first thought that up to 500 million guests were impacted by the data breach, this number was later revised down to 383 million following a more in-depth investigation.

That investigation revealed that the data breach had obtained 383 million guest records, 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment card numbers and 385,000 card numbers that were still active when the breach occurred. ICO also revealed that approximately 30 million of the hacked guest records belonged to residents of 31 countries in the European Economic Area, 7 million of which were belonging to residents of the United Kingdom.

Elizabeth Denham, the Information Commissioner said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”

The Marriott Hotel group revealed, in a statement to the US Securities Exchange Commission that it will be appealing the fine. Arne Sorenson, the President and Chief Executive of Marriott International Sorenson said that Marriott had replaced the Starwood guest reservation system earlier in 2019.

Sorensen commented: “We are disappointed with this notice of intent from the ICO, which we will contest. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

On May 25 2018 GDPR became enforceable in the European Union, following a two-year period of preparation. This data protection legislation was formulated to allocate regulators more authority in order to safeguard the private data of citizens and also to sanction financial penalties against companies in relation to data breaches that took place. The highest possible fine under GDPR is 4% of global annual revenue for the previous year or €20m, whichever figure is higher in relation to the company that is found to have been in breach of the legislation.

These recent fines suggest that GDPR has now entered the new phase where data authorities in E.U. Member States have moved on to sanctioning guilty parties in relation to data privacy breaches. There are more fines expected to be applied in the coming weeks and months once a number of high profile investigations have been completed in a number of different jurisdictions.

This further highlights the importance for all companies, big and small, to ensure that they are completely compliant with GDPR legislation if they are holding, and processing, the personal data of E.U. citizens.