ICO Plans to Fine Marriott £99m+ for Guest Data Breach

In the UK, the Information Commissioner's Office (ICO) has announced that it intends to fine hotel chain Marriott International more than £99m, for breaches of the GDPR data protection law.

The proposed fine relates to a cyber incident which was notified to the ICO by Marriott last November. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), with seven million related to UK residents.

According to the ICO, it is believed the vulnerability began when Starwood hotels group's systems were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until two years later. The ICO's investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood, and should also have done more to secure its systems. Marriott has since co-operated with the ICO investigation and has made improvements to its security arrangements.

Information Commissioner Elizabeth Denham stated: 'The GDPR makes it clear that organisations must be accountable for the personal data they hold. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public,'

Earlier this week, the ICO issued British Airways with a record fine of £183m for a data breach which took place last year.

Web site: www.ico.org.uk .