Hotel giant Marriott International has been fined £18.4 million by the Information Commissioner’s Office (ICO) for failing to prevent a massive data attack.
The fine for Marriott comes just two weeks after the ICO issued a record £20 million penalty to British Airways for its own data breach under GDPR rules.
The Marriott incident relates to a cyber attack in 2014 on Starwood Hotels and Resorts’ systems – Starwood was subsequently purchased by Marriott in 2016.
The breach of Starwood’s reservations systems was not detected until four years later in autumn 2018, with the incident affecting the personal data of around 339 million guests globally, including seven million people in the UK.
The data, which the ICO said Marriott failed to protect, included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, and loyalty programme membership numbers.
Information commissioner Elizabeth Denham said: ”Personal data is precious and businesses have to look after it.
“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Marriott’s fine of £18.4 million is considerably lower than the £99.2 million that the ICO said it was originally “intending” to fine the hotel company in July last year.
Marriott confirmed that it was not planning to appeal the ICO decision but added that it “makes no admission of liability in relation to the decision or the underlying allegations”.
“As the ICO acknowledges, Marriott co-operated fully throughout the investigation,” said the US-based company.
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognises.
“The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
Marriott also pointed out that the Starwood network was “no longer in use”.