Marriott facing £99.2M fine for Data Breach

7,356

US hotel group Marriott International is facing a fine of £99.2M for a data breach that took place in 2014 but was only discovered in 2018.

Following an extensive investigation the Information Commissioner’s Office (ICO) has issued a notice of its intention to fine Marriott £99,200,396 for infringements of the General Data Protection Regulation (GDPR).

A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.

 
marriott facing £99.2m fine for data breach - amzbiz 50 - Marriott facing £99.2M fine for Data Breach

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

According to the ICO, Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

Marriott International’s president, Arne Sorenson, said:

“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

The intention to fine comes a day after the ICO said it planned to fine British Airways £183m over a separate breach.

Rapid Carol is our resident C++ developer. With a background in corporate development, Carol is responsible for producing all our C++ code for clients.
Carol also handles our Corporate presentations along with Rapid John and is always on hand should any developers need help with code, examples etc.

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking Agree, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies are necessary for the website to function and enable essential services and functonality, including identify verification, service continuity and site security. Opt out is not availabe.

Essential Session management cookies for logged in users
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

For perfomance reasons we use Cloudflare as a CDN network. This saves a cookie "__cfduid" to apply security settings on a per-client basis. This cookie is strictly necessary for Cloudflare's security features and cannot be turned off.
  • __cfduid

Used by Spamshield to stop spam signups
  • _wpss_h_
  • _wpss_p_

NewsWire Service
  • BIGipServerwidget2_www_http

Decline all Services
Accept all Services