The Information Commissioner’s Office (ICO) is to fine US hotel group Marriott International $124 million (£99.2m).
The penalty comes the day after the UK’s data privacy regulator announced its plan to fine British Airways £183m over a separate data breach, that resulted in the exposure of around 339 million guests personal details. Although it is thought that the incident occurred in 2014, it was only discovered in 2018.
The amounts of these latest penalties reflects the fact that the ICO has substantially stronger powers since the EU’s General Data Protection Regulation (GDPR) came into effect in May, 2018.
The Marriott data breach affected the records of some 30 million Europeans, and occurred within rival company Starwood – which Marriott acquired in 2016. The compromised guest reservation system has now been phased out.
Marriott International’s president, Arne Sorenson, said:
We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. …We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.
The ICO said commented that Marriott had failed to properly review Starwood’s data practices and should have done more to secure its systems.
Information Commissioner Elizabeth Denham said:
The GDPR makes it clear that organizations must be accountable for the personal data they hold, …”This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Lead researcher at Security company CyberInt, Jason Hill, said: “The draconian fines.. are a wake-up call to all organisations, big and small.”
Although this may come as a blow to a company such as BA or Marriott, they are robust enough to weather the storm. A smaller organization suffering a serious breach could find itself overwhelmed by any penalty which, when combined with the loss of consumer confidence and the associated reputational damage -with devastating consequences for its business.