Marriott Makes List of 5 Biggest Data Breach Fines Issued by ICO

Digit has released its, “Five of the Biggest Data Breach Fines Issued by the ICO,” list which includes Marriott Hotels. With General Data Protection Regulation (GDPR) coming into force over a year ago, and this year alone the UK watchdog has issued fines worth millions for serious data breaches.

Under GDPR, companies that fail to protect customer data face potentially crippling fines from the Information Commissioner’s Office (ICO), which is empowered to issue fines of up to 4% of the offending organization’s turnover in the preceding financial year.

According to the article, before GDPR, the ICO could impose a maximum fine of £500,000, which to many global organizations is a ‘drop in the ocean.’ In its annual report published in July, the ICO said last year was record-breaking for issuing monetary penalties, although these only totaled £3 million in the 12 months to the end of March.

In this list Digit looks at the biggest fines issued by the ICO due to data breaches, however, it notes that any organization issued with a monetary penalty notice has the right to appeal the decision to the First-tier Tribunal. As Digit reports:

Marriott Hotels – Fined £99m – July 2019

Just one day after issuing a record-breaking fine to BA, the ICO revealed its intention to fine hotel chain Marriott International more than £99m due to a massive data breach. Approximately 339 million customer records were exposed during the breach, of which around 30 million related to residents of 31 countries in the European Economic Area, and 7 million related to UK residents.

In November 2018, Marriott announced it had detected an intrusion and that an unauthorised party had copied and encrypted information from its Starwood, which was acquired by Marriott in 2016, booking database in the US. When the company undertook an investigation of the hack it discovered there had been unauthorised access to its network since 2014.

In an update, published on January 4th 2019, the company revealed that the hackers had accessed and taken more than more than 5.25m unencrypted passport numbers, as well as 20.3m encrypted numbers.

Compromised information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

Marriott’s data vulnerabilities, the regulator said, appear to have begun when the systems of the Starwood hotels group were compromised in 2014. The group was subsequently acquired by Marriott in 2016, however, the exposure of customer information was not brought to light until 2018.

The ICO’s investigation into the breach ruled that the hotel chain “failed to undertake sufficient due diligence” when it purchased Starwood and should also have “done more to secure its systems”. However, the ICO noted that Marriott had cooperated fully with its investigation and has since made improvements to its security. The company will now be given an opportunity to make representations to the regulator as to the proposed findings and sanction.