In the United Kingdom the Information Commissioner’s Office (ICO) has hit hotel group Marriott International with an £18.4 million General Data Protection Regulation (GDPR) penalty for in its legal obligation to safeguard the private data of millions of guests’.
While this fine is extremely high the final figure applied could be considered as something of a let off for the group due to the fact that, in July 2019, ICO had already notified the Marriott group management company Starwood Hotels and Resorts Worldwide of its intention to apply a fine as high as €110m. However, in calculating the final figure there were additional considerations taken on board including representations made by the group, the financial impact of the COVID19 pandemic and the steps taken to stop a similar breach occurring in the future.
The fine was a result of the cyber attack, that took place during 2014, on Starwood Hotels and Resorts Worldwide. This breach went undiscovered until September 2018 following the acquisition of the group buy Marriott.
ICO conducted an official review which found that Marriott had not implemented ‘appropriate measures’ to safeguard the personal data being processed, as is legally required under GDPR. The review found that the breach went back as far 2014, the penalty that was applied is only in relation to events that occurred after the go live date of GDPR, May 25 2018. The investigation discovered to be involved in the breach may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers.
Around 339 million guest records around the world were impacted by the breach. However, it is possible, due there being duplicate copies of some of the information that was impacted, that there were less people involved in the breach. It was also calculated that of this figure some 30 million of those people impacted are resident in the the EU,with seven million of those being UK citizens.
Commenting on the breach Information Commissioner Elizabeth Denham said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
You can read the full report from ICO in relation the application of the fine here.
A statement on the decision taken by ICO was published on the Marriott Corporate website stated: “Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests. Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.”
You can read the full statement here.