ICO Fines Marriott £99 million for Data Breach Affecting 339 Million Customers

The UK Information Commissioner’s Office has hit Marriott with a £99 million fine for a GDPR data breach which affected 339 million customers.

This announced comes only a few days after the ICO announced it was fining British Airways a record-breaking £183 million for a data breach affected 500,000 people. BA’s data breach was also related to violations of the EU’s General Data Protection Regulation (GDPR).

The Marriott breach started in 2014, at Starwood Hotels & Resorts Worldwide, when hackers hijacked a database containing customer information. Marriott purchased the chain in September 2016, but failed to notice the breach until September 2018.

Due to the delay in the discovery of the breach, ICO determined that Marriott hotels failed to conduct sufficient due diligence while acquiring Starwood Hotels and therefore neglected to ensure that their customer’s information could remain secure.

GDPR does not expect organisations to be able to prevent every data breach. Even the most sophisticated cybersecurity systems have vulnerabilities which skilled hackers can exploit. However, in this case, the investigators concluded that Marriott should have made a greater effort to ensure that its databases were secure and prevented unauthorised individuals from gaining access to such sensitive information.

“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Under GDPR rules, when an organisation discovers a data breach that has comprised or exposed EU citizen’s data, the breach must be reported to that country’s ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers.

Marriott informed the ICO within an appropriate timeframe of the discovery of the breach and cooperated fully with the ICO investigation. Marriott has stated that it has already redesigned its security program and has improved its defences.

Marriott has 28 days to appeal the proposed £99,200,396 fine before ICO makes its final determination.

“We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, president and CEO of Marriott.“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

Before GDPR, the maximum fine that could be levied against an organisation for a data breach was £500,000. GDPR allows penalties of up to 4% of the company’s annual revenue, thus allowing the ICO to fine Marriott nearly £100 million for this breach.