The Information Commissioner’s Office (ICO) has fined Marriott International Inc £18.4million after a data breach put the personal data of some 339 million customers at risk. Seven million guest records related to people in the UK.
Because the breach happened pre-Brexit, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the General Data Protection Regulation (GDPR). The penalty and action have been approved by the other EU Data Protection Authorities.
While the Marriott data breach was discovered in 2018, it could affect customers who made a booking at one of the affected hotels and timeshare properties as far back as 2014. However, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.
What happened in this case?
Between 2014 and 10th September 2018, cybercriminals were able to repeatedly access, encrypt, and download mass amounts of customer data from the Starwood reservation system. Marriott purchased Starwood in September 2016. However, rather than migrate to Marriott’s own reservation system, the business continued to use IT infrastructure inherited from Starwood. In November 2018, an internal investigation by the hotel group found that there had been unauthorised access to a database. This contained guest information relating to reservations at various Starwood properties. The investigation also revealed that millions of guest records had been involved. Many of the records included extremely sensitive information such as credit card and passport numbers.
What has the ICO said?
According to the ICO, Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR. Commenting on the fine announcement, Information Commissioner, Elizabeth Denham, said:
”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Why has the fine been reduced?
In July 2019, the ICO issued Marriott with a notice of intent to fine. At this stage, Marriot was facing a £99 million fine.
However, as part of the UK’s regulatory process, the ICO considered representations from Marriott and took the economic impact of COVID-19 on the business into account before setting the final penalty. The ICO also acknowledged that Marriott acted promptly to mitigate the risk of damage and inform those affected.
This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.
Make a Marriott compensation claim with Keller Lenkner UK
While the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach. So, if your data was put at risk by Marriott you should now make a data breach compensation claim.
Keller Lenkner UK has launched a Marriott data breach group action to help victims achieve justice.