Marriott fined £18.4 million by UK watchdog over customer data breach

The fine has been slashed from over £99 million originally proposed In light of the pandemic.
Written by Charlie Osborne, Contributing Writer

The Information Commissioner's Office (ICO) has fined Marriott £18.4 million over a 2014 data breach, heavily reducing the penalty originally planned due to COVID-19 disruption.

The Marriot hotel group was subject to a 2014 data breach impacting the Starwood resort chain, acquired by Marriott in 2015. 

At the time, threat actors were able to infiltrate Starwood systems and execute malware via a web shell, including remote access tools and credential harvesting software. 

The attackers were then able to enter databases used to store guest reservation data including names, email addresses, phone numbers, passport numbers, travel details, and loyalty program information. 

The compromise continued until 2018, and over the course of four years, information belonging to roughly 339 million guests was stolen. In total, seven million records relating to UK guests were exposed.  

See also: ICO fines profiteering UK firm for touting coronavirus products over spam texts

The ICO says the company failed to meet the security standards required by GDPR due to failures to "put appropriate technical or organizational measures in place" when processing data, and as such, the company contravened data protection requirements now enforced through 2018 GDPR regulations. 

However, the watchdog acknowledged that "Marriott acted promptly to contact customers and the ICO" once the cybersecurity incident was uncovered, and "acted quickly to mitigate the risk of damage suffered by customers."

The hotel chain, alongside rivals such as Hilton, has been forced to slash thousands of jobs as travel plans, business trips, and holidays were canceled due to the coronavirus pandemic. After posting its first quarterly loss in close to a decade, the company said it expects a cash burn of $85 million a month in 2020.

Due to Marriott's current struggles and with the company's recent security improvements in mind, the ICO has still issued a fine -- but one drastically cut from its originally-proposed penalty of over £99 million. 

CNET: The best antivirus protection for Windows 10 in 2020

The original notice of intent to fine, issued in July 2019, was set to £99,200,396 for GDPR violations. However, the ICO says that talks with Marriot, security improvements, and the economic damage caused by COVID-19 has led to the revised figure. 

"Millions of people's data was affected by Marriott's failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not," commented Elizabeth Denham, UK Information Commissioner. "When a business fails to look after customers' data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect."

Last month, British Airways was fined £20 million by the ICO after cyberattackers stole information belonging to over 400,000 customers in 2018. 

TechRepublic: AWS releases Nitro Enclaves, making it easier to process highly sensitive data

The data and privacy watchdog slammed the airline for "unacceptable" security failures leading to the data breach, including a lack of cybersecurity audits, lax access controls, and little use of two-factor authentication (2FA). 

The fine is one of the highest the ICO has issued to date; however, it may have been far worse. The £20 million figure was calculated in consideration of BA's "considerable" security improvements and the impact of the business caused by COVID-19. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards