The UK’s data regulator has fined Marriott International £18.4m for failing to protect hundreds of millions of hotel guest records.
In 2019 the Information Commissioner’s Office (ICO) said it planned to fine the hotel group £99.2m after hackers stole an estimated 339 million guest records during a four-year cyberattack.
The ICO reduced the fine because of the steps Marriott has taken in the wake of the breach and “the economic impact of Covid-19”.
Marriott said it would not appeal the decision but “makes no admission of liability in relation to the decision or the underlying allegations”.
The cyberattack began in 2014, targeting the computer systems of Starwood Hotels & Resorts Worldwide Inc. The attackers continued to exfiltrate data until 2018, by which time Marriott had acquired Starwood. The data breach was made public in November 2018.
In its investigation, the ICO found that Marriott failed to put appropriate “technical or organisational measures in place to protect the personal data being processed on its systems”.
Doing so is a requirement of the General Data Protection Regulation (GDPR), which came into force on 25 May 2018. While the breach stretched back four years, the Marriott fine only relates to the breach after this date.
Affected personal data included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Seven million guest records related to people in the UK.
Marriott “deeply regrets the incident”
Information Commissioner, Elizabeth Denham, said:
”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
In a statement, Marriott said it “deeply regrets the incident”.
“Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognises. The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.
“Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.”
The ICO said it had considered the steps Marriott took in the wake of the data breach when deciding the fine, which included adding additional security measures and setting up a helpline for affected customers. It also weighed up the financial implications of levying a large penalty against a hospitality company during the Covid-19 pandemic.
The Marriott fine reduction follows the ICO downgrading the British Airways fine from £183m to £20m earlier this month, a company from another sector hard-hit by the pandemic.
In March this year, Marriott suffered another data breach in which the personal details of “up to” 5.2 million people were affected.