The UK’s Information Commissioner’s Office (IOC) has announced its intention to fine the US hotel group Marriott International £99.2 million (US $123 million) for a data breach that exposed the personal details of hundreds of millions of guests.
In its initial announcement in November 2018, Marriott said that the hack of its Starwood guest reservation system may have held information about up to 500 million guests – although this figure was later reduced to approximately 383 million guest records.
Information stolen included names, mailing addresses, phone numbers, email addresses, Starwood Preferred Guest (“SPG”) account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. In addition,
millions of encrypted payment card numbers and passport numbers were exposed.
During a subsequent investigation Marriott discovered that there had been unauthorised access to the Starwood network since 2014 (Marriott acquired the Starwood Hotels group in 2016.)
And, of course, some of the data which would have been compromised by the hack would have related to customers who are based in the European Union. And it’s that European connection which means Marriott is facing a heavy penalty under the EU’s General Data Protection Regulation (GDPR).
According to the ICO, around 30 million of the hacked records related to residents of 31 countries in the European Economic Area (EEA), with seven million connected to UK residents.
The ICO says that Marriott “failed to undertake sufficient due diligence” when it bought Starwood and should have done more to secure its systems.
GDPR, which came into force last year, allows for fines of up to 20 million Euros or 4% of a company’s global annual turnover – whichever is higher.
In a statement, Information Commissioner Elizabeth Denham sent a clear warning to other businesses who are careless with the personal data they hold:
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott is co-operating with the ICO investigation, and has made improvements to its security since the breach was discovered. The hotel chain says it will respond to the proposed fine vigorously, in the hope that it can be reduced.
Earlier this week, the ICO announced that it was intending to fine British Airways £183 million for a breach that compromised the personal data of 500,000 customers last year.