The UK Information Commissioner’s Office announced it has fined Marriott £18.4 million ($23.5 million) for multiple data breaches suffered by the company since 2018 that exposed the personal information of its customers.
“The ICO has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure.” reads the press release published by the ICO. “The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).”
According to the U.K.’s Information Commissioner’s Office, Marriott International was not compliant with the European Union’s data protection regulation GDPR.
The fine is less than initially planned because the watchdog had taken into account Marriott’s efforts “to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty”.
In November 2018, the hotel chain announced that data from as many as 500 million guests at its Starwood hotels may have been compromised by a security breach occurred in 2014.
This is one of the largest data breaches in history, the biggest one for the hospitality industry.
Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.
According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.
The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”
Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.
The investigation in the Starwood Data Breach revealed that stolen data also includes financial data, payment card numbers and payment card expiration dates were exposed, even if in an encrypted format.
According to the Information Commissioner’s Office, the data breach affected 30 million European residents, including 7 million in the U.K.
According to the British watchdog, Marriott failed to perform sufficient due diligence when it bought Starwood in 2016 and did not implement necessary measures to secure its systems.
”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.” Information Commissioner Elizabeth Denham said.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
(SecurityAffairs – hacking, Marriott)