The UK data protection regulator the Information Commissioner’s Office (ICO) intends to fine the hotel brand Marriott International £99.2m for breaches of data protection law; to be exact, £99,200,396 for infringements of the General Data Protection Regulation (GDPR), which replaced the previous law and the ICO’s maximum possible fine of £500,000 in May 2018.
The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in about 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. According to the ICO, it is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO found that Marriott failed to do enough due diligence when it bought Starwood and should have done more to secure its systems.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The ICO says Marriott has made improvements to its security arrangements since these events came to light. As with the proposed fine of British Airways, the ICO has been investigating this case as lead supervisory authority on behalf of other EU countries’ data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment, and the ICO has yet to take its final decision.
Marriott says it intends to respond and vigorously defend its position. The company’s US-based President and CEO, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The company says that the attacked Starwood guest reservation database is no longer used for business operations.
Meanwhile the ICO published its 114-page 2018-19 annual report, noting that the year was ‘record-breaking’ for monetary penalties under the previous Data Protection Act 1998. Visit https://ico.org.uk/about-the-ico/our-information/annual-reports.
Comment
Rufus Grig, CTO at the cloud and IT managed services company Maintel said: “Organisations like Marriott and BA are strong targets for cyber criminals because they possess vast amounts of high-value personal data that gives hackers high return on investment. Yet, every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimise the loss of data.”
