The Information Commissioner’s Office (ICO) has announced its intention to fine Marriott International £99 million for breaching data protection regulations.
The fine relates to a cyber incident last year in which more than 330 million guest records were exposed – of which, around 30m were related to residents of 31 countries in the European Economic Area (EEA). Around 7m UK residents are believed to have had their details exposed in the breach.
This marks the second significant fine imposed on a company by the ICO in the space of a week. On Monday, the regulator fined British Airways a record-breaking £183 million for its failure to protect consumer data.
- Marriott revises damage estimates following data breach
- British Airways facing £183 million fine over data breach
Marriott’s data vulnerabilities, the regulator said, appear to have begun when the systems of the Starwood hotels group were compromised in 2014. The group was subsequently acquired by Marriott in 2016, however, the exposure of customer information was not brought to light until 2018.
The ICO’s investigation into the breach ruled found that the hotel chain “failed to undertake sufficient due diligence” when it purchased Starwood and should also have “done more to secure its systems”.
Commenting on the announcement, Information Commissioner Elizabeth Denham stated: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.
“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Denham added: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The ICO noted that Marriot cooperated fully with its investigation and has since made improvements to its security arrangements. The company will now be given an opportunity to make representations to the regulator as to the proposed findings and sanction.