In July 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine Marriott International £99 million for the 339 million-record data breach the hotel group announced in 2018. The ICO announced on October 30, 2020 that the financial penalty has been reduced by 82%, with Marriott ordered to pay a financial penalty of £18.4 million.
The ICO investigated the data breach and determined that Marriott International was in violation of the GDPR, specifically having failed to protect the personal data of up to 339 million customers, including 7 million in the UK, and the failure to prevent unlawful processing of customer data on its systems.
While the data breach was discovered in 2018, the initial attack occurred in 2014 when unknown individuals installed a web shell on a device with access to the systems of Starwood Hotels and Resorts Worldwide Inc., which was subsequently acquired by Marriott.
The web shell was used to install malware which allowed the attackers to remotely access and alter the device. The malware gave the attackers unrestricted access to the compromised device and others on the network. The attackers installed further malicious tools which allowed them to harvest login credentials for other users of the Starwood network and access the reservation database, which was exported by the attackers.
The breach occurred before the GDPR took effect on May 25, 2020, but the breach remained undetected until September 2018. The financial penalty only applies from May 25, 2020 until the hackers were ejected from Marriotts’ systems.
When considering an appropriate financial penalty, the ICO considered the representations of Marriott and the steps taken to mitigate the harmful effects of the breach. Marriott acted promptly and has since put protections in place to prevent similar breaches in the future. The economic impact of COVID-19 was also taken into consideration.
”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not, said Information Commissioner, Elizabeth Denham. “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Marriott has stated it intends to appeal the fine and has made no admission of liability.
The ICO similarly reduced the financial penalty for British Airways for its massive data breach, with the representations of the company and the damaging effect of COVID-19 on the airline considered. BA’s GDPR fine was recently reduced by 89% to £20 million.