October 30, 2020

ICO drops Marriott fine to £18.4m for hotel hack “failure”

By Robert Scammell

The UK’s data regulator has fined Marriott International £18.4m for failing to protect hundreds of millions of hotel guest records.

In 2019 the Information Commissioner’s Office (ICO) said it planned to fine the hotel group £99.2m after hackers stole an estimated 339 million guest records during a four-year cyberattack.

The ICO reduced the fine because of the steps Marriott has taken in the wake of the breach and “the economic impact of Covid-19”.

Marriott said it would not appeal the decision but “makes no admission of liability in relation to the decision or the underlying allegations”.

The cyberattack began in 2014, targeting the computer systems of Starwood Hotels & Resorts Worldwide Inc. The attackers continued to exfiltrate data until 2018, by which time Marriott had acquired Starwood. The data breach was made public in November 2018.

In its investigation, the ICO found that Marriott failed to put appropriate “technical or organisational measures in place to protect the personal data being processed on its systems”.

Doing so is a requirement of the General Data Protection Regulation (GDPR), which came into force on 25 May 2018. While the breach stretched back four years, the Marriott fine only relates to the breach after this date.

Affected personal data included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Seven million guest records related to people in the UK.

Marriott “deeply regrets the incident”

Information Commissioner, Elizabeth Denham, said:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

In a statement, Marriott said it “deeply regrets the incident”.

“Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognises. The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.

“Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.”

The ICO said it had considered the steps Marriott took in the wake of the data breach when deciding the fine, which included adding additional security measures and setting up a helpline for affected customers. It also weighed up the financial implications of levying a large penalty against a hospitality company during the Covid-19 pandemic.

The Marriott fine reduction follows the ICO downgrading the British Airways fine from £183m to £20m earlier this month, a company from another sector hard-hit by the pandemic.

In March this year, Marriott suffered another data breach in which the personal details of “up to” 5.2 million people were affected.

Read more:  Marriott faces fresh data breach woes as London lawsuit launched


Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,