US hotel group Marriott International becomes second firm in a week to be slapped with massive GDPR fine from the UK’s Information Commissioner’s Office (ICO).
The UK’s Information Commissioner’s Office (ICO), has announced it intends to fine Marriott International over £99 million (US$123 million) under the General Data Protection Regulation (GDPR) for a 2018 data breach, which resulted in hackers stealing the records of 339 million of the hotel chain’s guests.
Marriott was first alerted to the fact it was hit by a cyberattack in September last year, but the incident wasn’t reported until November. After an investigation the ICO said the issue appeared to begin when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016, although the theft of customer information was not discovered until last year.
It was first thought that 500 million customers were impacted by the breach, but in March more information emerged about the breach after a testimony by Arne Sorenson, Marriott’s Group CEO. Sorenson confirmed that 383 million guest records and 18.5 million encrypted passport numbers were breached. Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers.
The ICO said that its investigation found that "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
In a statement of the regulator’s intention to fine Marriott, Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
In a statement Sorenson said the company was “disappointed” with the ICO's announcement and claimed the company would contest the fine. “Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” he said.
It is the second time in less than a week that the UK regulator has flexed its muscle to impose huge fines using extensive powers relating to breaches under GDPR. Having announced on Monday that British Airways faces a £183.39 million (US$230 million) fine for failing to protect customers’ financial and personal data following last year’s Magecart-style attack on its website.
In BA’s case its fine represented just 1.5% of its turnover in 2017 while Marriott’s represented about 3% of the hotel company’s US$3.6 billion revenue from 2018.
“The BA and Marriott fines should come as a stark warning to organizations about how seriously the ICO is taking any data breach that exposes sensitive customer data,” commented Rob Dallison, Associate Vice President at SAI Global. “The reality is that data is a valuable asset if utilized correctly – but can be a very costly one if not. Businesses that ensure the security of their customers’ data, and demonstrate full transparency in how they use it, stand to gain huge competitive advantage. After all, the more personal data an organization holds, the more opportunity it has to analyze that data for the purpose of understanding and serving its audience.”
Dallison added: “Data is an essential part of the digital economy, so maintaining its security must be a business imperative.”