The UK Information Commissioner’s Office has fined Marriott International Inc £99 million under GDPR for a data breach that affected seven million UK residents.
The ICO released the statement for intention to fine Marriott on July 9, only a few days after the announcement that BA was given a record-breaking £183 million for a data breach affected 500,000 people. BA’s data breach was also related to violations of the EU’s General Data Protection Regulation (GDPR).
The Marriott breach affected approximately 339 million guests around the world, including 7 million in the UK. The breach started in 2014 when hackers broke into a customer database at Starwood Hotels & Resorts Worldwide, which was purchased by Marriott in September 2016. The compromised database was not noticed for a further two years, until September 2018.
According to the statement, ICO determined that Marriott hotels ‘failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.’
Under GDPR, organizations that hold data about EU citizens are expected to take reasonable measures to protect the privacy, confidentiality, and integrity of the individual’s data. GDPR does not expect organizations to be able to prevent every data breach, as the most sophisticated cybersecurity systems have vulnerabilities which skilled hackers can exploit.
However, in this case, ICO investigators concluded that Marriott should have made a more considerable effort to ensure that its databases were secure and prevented unauthorized individuals from gaining access to such sensitive information.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
GDPR requires organizations to report data breaches to the relevant ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers.
Marriott informed the ICO within an appropriate timeframe of the discovery of the breach and cooperated fully with the ICO investigation. The ICO statement has stated that Marriott has already made improvements to its security framework since the breach was discovered.
Marriott has 28 days to appeal the proposed £99,200,396 fine before ICO makes its final determination.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, president and CEO of Marriott.“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Before GDPR, the maximum fine that could be levied against an organization for a data breach was £500,000. GDPR allows penalties of up to 4% of the company’s annual revenue, thus allowing the ICO to fine Marriott nearly £100 million for this breach.