Marriott faces £99m GDPR fine for data breach

US-headquartered global hotel chain Marriott International faces a £99m (€110m) fine for breaching Europe’s General Data Protection Regulation (GDPR), following a cyberattack on one of its reservation databases.

The fine is set to be handed out by UK data regulator the Information Commissioner’s Office (ICO), which, in line with the GDPR, has taken the lead in the case on behalf of Europe’s other data regulators.

It follows the record £183.4m (€204.8m) GDPR fine proposed by the ICO against British Airways (BA) this week, after a cyberattack saw customers redirected to a fake website where personal data on 500,000 customers was harvested.

The ICO was notified of the cyberattack on Marriott in November. It exposed personal data of 339 million Marriott guests globally, including 30 million in Europe and seven million in the UK.

The ICO said a vulnerability in Marriott’s customer booking system can be traced to the Starwood Hotels and Resorts Worldwide group. Its booking systems were compromised in 2014 and inherited by Marriott in 2016 when it acquired the Starwood company. However, the breach was only detected last year.

“Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems,” the ICO said. UK information commissioner Elizabeth Denham said cybersecurity should be a top priority in merger and acquisition deals.

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” she said.

Marriott International said it is “disappointed” with the notice of intent to fine the firm £99m. It said it will “vigorously defend” its position under its right to respond before a final notice is issued. Marriott International’s president and CEO Arne Sorenson said the company has cooperated with the ICO and no longer uses the Starwood booking system.

Since the GDPR took effect in May 2018, experts have been braced for fines of this magnitude to test the new regulation. It has the power to fine companies up to 4% of global annual turnover. BA’s proposed fine represents 1.5% of its annual global turnover.

CRE reported this week that Ferma is working on a project with the European auditors association to assess the impact of the new data protection regime on members. It warned that the latest ICO fines show regulators are getting tougher on firms. “As predicted, national authorities are now intensifying their supervisory action [under the GDPR],” Ferma said.

Back to top button