ICO slashes Marriott GDPR fine to £18.4m

UK regulator the Information Commissioner’s Office (ICO) has slashed its proposed GDPR fine of almost £100m against hotel group Marriott International to just £18.4m, after it took into account the impact of Covid-19 on the business and mitigation measures put in place after the breach was identified.

The reduced penalty was anticipated after the ICO reduced a record fine of £183m against British Airways (BA) to £20m last month. This also took into account the economic impact of Covid-19 on BA.

Marriot International detected a cyberattack on Starwood Hotels and Resorts in September 2018. Although the attack dates back to 2014, and before Marriot acquired Starwood, the ICO fine only applies from May 2018 when the EU’s GDPR came into effect.

Malware installed on Starwood’s booking system exposed the personal data of 339 million hotel guests around the world. Seven million UK guest records and 30 million across Europe were affected. Names, emails, phone numbers, unencrypted passport numbers, travel information and loyalty membership numbers were all exposed as part of the cyberattacks.

“There were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR,” the ICO said.

The ICO investigated the Marriott breach on behalf of all EU authorities under the GDPR and the final fine has been approved by Europe’s other data protection authorities.

The ICO first issued Marriott with a notice of intent to fine the company £99m in July last year. At the time, the ICO said Marriott failed to complete sufficient due diligence before it bought Starwood in 2016 and should have done more to secure its systems when it became part of the Marriott group.