Industry News

Marriott data breach fine slashed to £18.4 million by UK regulator

Marriott data breach fine slashed to £18.4 million by UK regulator
  • ICO initially fined Marriott International £99.2 million
  • Fine massively reduced in part due to COVID-19’s impact on hotel industry

Marriott International has been fined £18.4 million (US $23.8 million) for its failure to adequately protect the personal records 339 million guests.

The fine, imposed by UK data regulator, the Information Commissioner’s Office (ICO), is a massive 81% less than the £99.2 million fine originally imposed upon the hotel group last year.

It is now two years since Marriott warned the public that hackers had managed to gain unauthorised access to the Starwood guest reservation database since 2014, exposing guests’ names, mailing addresses, phone numbers, email addresses, Starwood Preferred Guest (“SPG”) account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. In addition,
millions of encrypted payment card numbers and passport numbers were also breached.

The hackers continued to exfiltrate sensitive data from the system after Marriott acquired Starwood in 2016, continuing to steal personal data unnoticed by Marriott until 2018.

At the time, the breach was described as the second-biggest data breach in history.

The ICO determined that Marriott “failed to undertake sufficient due diligence” when it bought Starwood and should have done more to secure its systems from cybercriminals, but has now dramatically reduced the fine it is imposing on the international company.

Why the massive reduction from $99.2 million to £18.4 million? According to the ICO, it has now taken into account steps Marriott has taken to mitigate the effects of the incident and the economic impact COVID-19 has had on the hotel business.

A similar decision was made two weeks ago by the ICO in relation to British Airways, which has had its 2018 data breach fine reduced from £183 million to £20 million, despite a catalogue of errors.

The UK’s Information Commissioner, Elizabeth Denham, said:

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

I certainly can’t disagree with that.

And although I’m sympathetic with those who hold the view that Marriott has dodged something a financial bullet – due to the coincidence that it was being investigated for a massive data breach while the hotel industry was struggling from a global pandemic – I do hope that even this reduced fine will help wake up other companies to the need to always treat data security as a priority.

Maybe other companies also need to more carefully consider the importance of security audits when merge, and not take for granted that it is already secured against hackers.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.