UK ICO proposes a $123 million fine for Marriott 2014 data breach

Pierluigi Paganini July 10, 2019

The UK’s data privacy regulator plans to fine giant hotel chain Marriott International with a £99 million ($123 million) under GDPR over 2014 data breach.

The company replied that it will fight against the fine, it could reply to the UK ICO’s proposal before the final determination.

The UK’s data privacy regulator announced that the giant hotel chain Marriott International faces a £99 million ($123 million) fines under GDPR over 2014 data breach.

According to the U.K.’s Information Commissioner’s Office, Marriott International was not compliant to the European Union’s data protection regulation GDPR.

The news had a significant impact on the value of the company’s shares that fell 1.5% to $139.20 after the announcement.

In November, the hotel chain announced that data from as many as 500 million guests at its Starwood hotels may have been compromised by a security breach occurred in 2014.

This is one of the largest data breaches in history, the biggest one for the hospitality industry.

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

Marriott Starwood Data Breach

The investigation in the Starwood Data Breach revealed that stolen data also includes financial data, payment card numbers and payment card expiration dates were exposed, even if in an encrypted format.

According to the Information Commissioner’s Office, the data breach affected 30 million European residents, including 7 million in the U.K.

“Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).” reads the statement published by the ICO.

“The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018.” 

According to the British agency, Marriott failed to perform sufficient due diligence when it bought Starwood in 2016 and did not implement necessary measures to secure its systems.

“It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.” continues the statement. “The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

The Information Commissioner’s Office also added that Marriott has improved the security of its systems after the discovery of the data breach.

Marriott President and CEO Arne Sorenson explained that the company has assisted the Information Commissioner’s Office with its investigation.

“We are disappointed with this notice of intent from the ICO, which we will contest,” Sorenson said in a statement.

On Monday, the UK ICO proposed a $229 million fine against British Airways over 2018 data breach that affected 500,000 customers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Marriott, GDPR)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment