Marriott International hotel chain has been fined £18.4m for a data breach that exposed the information of millions of guests worldwide.
The Information Commissioner’s Office (ICO) which is the UK’s independent body set up to uphold information rights imposed the heavy fine on the hotel chain for “failing to keep millions of customers’ personal data secure.”
Marriott disclosed a data breach in November 2018 in which around 339 million guest records were exposed globally, out of which around seven million are of UK residents. Following an investigation, it was found that an unauthorized party was accessing the network of Starwood Hotels and Resorts Worldwide Inc. since 2014, copying and encrypting information.
The attack was not known until September 2018, by which time Starwood was already acquired by Marriott.
Even though the personal data disclosed in the breach varied for each person, it is believed to have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.
ICO found that Marriott was not successful in putting up adequate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).
But Marriott acted swiftly once they became aware of the incident and notified the customers and ICO immediately. They also worked promptly to reduce the risk of damage to the customers, and also took several measures to improve the security of its systems.
ICO stated that as part of the regulatory process, they have considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
The breach occurred in 2014 and the GDPR regulations came into effect only in May 2018.
Image Credits : Law