The UK data protection authority – the Information Commissioner’s Office (ICO) – has announced it will fine hotel giant Marriott over £99 million for their data breach that left the information of up to 383 million guests exposed.
Marriott revealed last year that its Starwood properties’ database had been hacked, exposing five million unencrypted passport numbers and eight million credit card records. This also resulted in California making their data breach notification laws significantly stricter (which they stated was in response to this breach).
The fine that the ICO has levied against Marriott was because Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” The ICO also included the fact that the Starwood breach affected circa 30 million residents within the European Union.
Information Commissioner Elizabeth Denham stated: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action.”
Under the GDPR, the data protection authority has the ability to fine a company up to 4% of its global annual turnover; this fine that the ICO is imposing on Marriott represents about 3% of their 2018 turnover.
Marriott’s Chief Executive Arne Sorenson commented on the fine, saying, “We are disappointed with this notice of intent from the ICO which we will contest.”
This is the latest significant fine coming from the ICO – it follows the record fine of £183 million it slapped on British Airways earlier this week for a data breach that occurred last year.
