Marriott International was today fined £18.4 million by the ICO for failing to prevent hackers from stealing 339 million guest records worldwide between 2014 and 2018 after breaching the group's Starwood reservation system.
In July last year, the Information Commissioner's Office has announced its intent to fine Marriott International almost £100 million for failing to protect the personal information of millions of guests worldwide. Information stolen by hackers included 30 million records of residents of 31 countries in the European Economic Area (EEA), and 7 million people residing in the UK.
The data breach impacted personal and financial information of millions of people who made bookings at Marriott International's Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.
"It is believed the vulnerability began when the systems of the Starwood hotel group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems," the ICO observed.
Earlier today, ICO announced that it has fined Marriott International £18.4 million for failing to keep millions of customers' personal data secure. It arrived at the final figure after taking into consideration representations from Marriott International, the steps Marriott took to mitigate the effects of the incident, and the economic impact of COVID-19 on their business.
The reduction of the fine from nearly £100 million to less than £20 million by the ICO was also influenced by Marriott's actions after the cyber attack was detected. ICO noted that Marriott acted promptly to contact customers and the ICO, acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.
Reacting to the £18.4 million fine issued by the ICO, Marriott said it does not intend to appeal the decision, that it deeply regrets the incident, and that it wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.
"Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognizes the steps taken by Marriott following the discovery of the incident to promptly inform and protect the interests of its guests," the hotel group said in a statement.
Commenting on the fine issued to Marriott, Information Commissioner Elizabeth Denham said millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“Personal data is precious and businesses have to look after it. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect,” she added.
“Regulations are not just something that organisations have to comply with, they should encourage improved behaviours and best practice. Too often, regulation is viewed as a burden, but organisations should start to view it through the lens of their customers, partners, or employees. If a customer trusts you with their data, you owe it to them to protect it and ensure it is safe,” says Dr Francis Gaffney, Director of threat intelligence at Mimecast.
“Many organisations are having to pay financial penalties for such data breaches and it is only afterwards that the cost of a breach now outweighs the potential savings from not investing in security and data management solutions. Furthermore, it is often the case that the damage to the organisation’s reputation and branding dwarfs the fine imposed.
“This breach is particularly worrying, as it went undetected for a number of months and a lot of personal data could have been exposed. More widely, data from individual breaches are capable of being aggregated with information from other, unrelated breaches, to perform credential stuffing attacks against an individual’s online accounts,” he adds.
The regulatory action taken by the ICO may not be the last of Marriott International's worries as the group is facing a massive "data breach group action" filed by Martin Bryant, the founder of technology and media consultancy Big Revolution in the High Court of England and Wales.
"If a major corporation suffers a breach because it didn’t do everything it could to protect your data, and the worst it suffers is a fine for breaking data protection rules, there’s little incentive for anything to really change. But if the company becomes accountable to the customers whose data they lost, it’s a different matter.
"That’s why I have filed a data breach group action in the High Court of England and Wales against Marriott International. The action seeks compensation on behalf of millions of hotel guests who made reservations at hotel brands within the Starwood group," Bryant said. The lawsuit is being funded by Harbour Litigation and law firm Hausfeld will represent Bryant in court.