Hotel chain Marriott has been fined £18.4 million by the Information Commissioner’s Office (ICO) for failing to protect customer data.
An investigation into the Marriott data breach found the hotel giant failed to put in place “appropriate technical measures” to protect data being processed on its systems.
Marriott estimates that around 339 million guest records were exposed as a result of the 2014 cyberattack on Starwood Hotels and Resorts.
The attack remained undetected for several years, however, and was only discovered in September 2018 following Marriott’s acquisition of the Starwood chain.
Personal data exposed in the breach included names, email addresses, phone numbers, unencrypted passport numbers and loyalty programme membership numbers.
The exact number of people affected still remains unclear as there may have been multiple records for an individual guest. It is believed that anywhere up to seven million exposed guest records belonged to British customers.
Information Commissioner Elizabeth Denham said the company failed in its duty to protect customer data.
“Millions of people’s data was affected by Marriott’s failure thousands contacted a helpline and others may have had to take action to protect their personal data because the company trusted with it had not,” she said.
The Marriott hack
The Marriott attack dates back to 2014 when an unknown attacker installed a piece of code known as a ‘web shell’ onto a Starwood system. This gave the attacker the ability to access and edit the contents of the device remotely.
Access to this system was then exploited to install malware, which further enabled the attacker to gain access to the system as a privileged user.
Further down the line, additional tools were installed to gather login credentials for users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
- British Airways fined £20m for 2018 data breach failures
- Marriott reveals new data breach affected 5.2 million guests
- Security researchers highlight vulnerabilities on Marriott, BA and EasyJet sites
Because the breach happened before the UK left the European Union, the ICO investigated on behalf of all EU authorities as the lead supervisory authority under GDPR.
The ICO said that while its investigation traced the cyberattack back to 2014, the penalty only relates to the May 2018 breach. Additionally, the regulator said it considered Marriott’s response – as well as the current economic environment – when reaching a decision.
“The ICO acknowledges that Marriott acted promptly to contact customers and the ICO,” the regulator confirmed in a statement.
“It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems,” the ICO added.
In a statement, Marriott said it “deeply regrets the incident” and insisted it will continue to invest in protecting customer data.
“Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognises,” the statement reads.
The hotel chain said it does not intend to appeal the decision. However, it added the company “makes no admission of liability in relation to the decision or the underlying allegations”.
A message to businesses
This latest penalty is one of the largest imposed by the ICO, with the British Airways fine just narrowly beating it.
Despite this, the fine still represents a fraction of what the ICO previously said it intended to impose.
In 2019, the ICO said it intended to hand down a fine of £99.2 million. The £20 million British Airways fine also fell considerably short of the initial £183 million proposed by the regulator.
Chris Combemale, CEO of the Data & Marketing Association, said the ICO’s actions this month have sent out a strong message to organisations taking a lax approach to data protection.
“Given the dramatic fall in revenue that the travel and leisure sector has experienced during the coronavirus pandemic, these fines send a very powerful message to organisations that they must invest in keeping their customers’ data secure,” he said.