US hotel chain Marriot International faces a potentially hefty financial penalty for a data breach that affected hundreds of millions of people.
The Information Commissioner’s Office (ICO) launched its investigation into the “colossal” hack on Marriott International back in December last year. That hack was only discovered in November 2018, but it affected the personal details and payment card data on up to 340 million people dating back to 2014.
Earlier this week it was revealed that British Airways is facing an eye watering penalty of £183.39 million for a data breach last year that affected half a million customers.
The size of the fine for Mariott is because it falls under stricter data protection (GDPR) rules that took effect in May 2018.
The ICO announced its decision to fine the American hotel chain more than £99 million in a statement of intent.
“Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR),” said the ICO.
The ICO said that data breach happened when the systems of the Starwood hotels group were compromised in 2014.
Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset,” said Denham. “If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Mariott has co-operated with the ICO inquiry and it now has an opportunity to make representations to the data protection watchdog as to the proposed findings and sanction. No doubt it will appeal any ruling.
“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott International’s president, Arne Sorenson told the BBC. “Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
“We deeply regret this incident happened,” said Sorenson. “We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Security experts have warned that firms need to start taking GDPR seriously and the size of fines breaches can result in.
“Two monumental fines over the course of two days for breaking GDPR guidelines shows the ICO are really starting to take these breaches of security seriously – as they should be,” said Tim Dunton, MD at Nimbus Hosting.
“Businesses must begin to understand the power they have when collecting and storing customer data and must face severe consequences when they fail to properly secure this,” said Dunton. “Website security must be the biggest concern for businesses who store personal customer information and they have to begin to ensure they are using a secure system to host their websites.”
Another expert warned firms that they have a serious duty of care to protect customer data.
“Coming hot on the heels of the record fine issued to BA yesterday, the penalty the ICO has imposed on the Marriott hotel group following its own recent data breach heralds a new era of greater regulatory power,” said Matt Middleton-Leal, general manager, EMEA & APAC at Netwrix.
“Watchdogs’ barks may once have been considered worse than their bite, but this is no longer the case since the introduction of GDPR,” said Middleton-Leal. “Any company that routinely processes customer data has a serious duty of care to protect this, and is almost certainly on the radar of opportunistic and skilled hackers.”
“These vast fines should provide a stark warning to organisations that have failed to adapt to their approach to security since the regulation came into effect,” said Middleton-Leal. “Compliance with regulation can in fact be achieved without a significant overhaul of workflows, but what is most important, as ever, is a change of mindset.”
Meanwhile Jake Moore, Cybersecurity Specialist at ESET believes this case highlights that it’s not just UK companies at risk of eye-watering fines.
“Interestingly, these firms’ attacks were by no means the largest in terms of numbers for 2018,” said Moore. “This could, in fact, be the tip of the iceberg of what is to come but let’s hope others are taking copious amounts of notes as to how to handle a breach or better still, evade the attacks as best they can in the first place.”
Do you know all about security? Try our quiz!
Twitter will no longer block links to articles containing hacked materials, following criticism over treatment…