A second high-profile fine has been announced by the Information Commissioner’s Office (ICO) just one day after it said British Airways would face a £183 million penalty, this time against Marriott International for a data breach that affected hundreds of millions of guest records.
The commissioner is planning to fine Marriott £99,200,396 for the 2018 theft of customer data. The breach was discovered in November, but it is believed the security vulnerability started when a reservation system of Starwood were compromised in 2014.
Marriott acquired Starwood in 2016 but did not uncover the hack until two years later. It has since phased out the affected system.
The ICO said Marriott did not take due diligence to carry out a review of Starwood’s security practices and should have done more to secure its systems.
An investigation into the incident concluded approximately 339 guest records were exposed by the breach, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million of those lived in the UK.
Information commissioner Elizabeth Denham commented: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
As in the case of BA, which is also facing a fine for a 2018 data breach, the ICO will give Marriott the opportunity to contest the proposed penalty.
Marriott CEO Arne Sorenson said the company is “disappointed” with the news and intends to challenge the fine. He added the hotel giant has cooperated with the ICO throughout its investigation and has taken steps to beef up its security measures.
Sorenson commented: “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The company also faced a lawsuit in the US over the breach after two lawyers said their personal data may have been compromised by the incident.