A data breach which could have revealed personal information
such as passport numbers, arrival and departure information and phone numbers of customers of hotel group Starwood has led to its now owner Marriott being fined
£18.4 million.
The cyber-attack on Starwood Hotels and Resorts happened in
2014 but remained undetected until 2018, by which time the company had been
acquired by Marriott. The company
estimates that 339 million guest records worldwide, including seven million in
the UK, were affected.
The UK’s information commissioner found there were failures
by Marriott to put appropriate technical or organisational measures in place to
protect the personal data being processed on its systems, as required by the
General Data Protection Regulation (GDPR).
Information commissioner, Elizabeth Denham, said: ”Personal data is precious and businesses have to look after
it. Millions of people’s data was affected by Marriott’s failure; thousands
contacted a helpline and others may have had to take action to protect their
personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the
impact is not just a possible fine. What matters most is the public whose data
they had a duty to protect.”
In July 2019, the ICO issued Marriott with a notice of
intent to fine, setting the proposed penalty at £99 million. As part of the
regulatory process, the ICO considered representations from Marriott, the steps
Marriott took to mitigate the effects of the incident and the economic impact
of Covid-19 on their business before setting the final penalty.
Two weeks ago, the ICO issued British Airways with the biggest ever fine under data regulations.