IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Marriott fined £99m for 2018 data breach

ICO says the hotel chain 'failed to undertake due dilligence' in Starwood acquisition

The Information Commissioner's Office (ICO) has said it will fine Marriott International over 99 million following a breach of its systems that led to the exposure of approximately 339 million guest records.

The hotel chain revealed in November that an unknown third-party had gained unauthorised access to its Starwood guest reservation system by exploiting an unpatched vulnerability dating back to 2014.

Of the 339 million records accessed, it's thought around 30 million were related to residents of 31 countries in the European Economic Area, including seven million belonging to UK citizens.

Following an investigation by the ICO, it was found that Marriott, which bought the Starwood brand in 2016, "failed to undertake sufficient due diligence" during the acquisition and missed the vulnerability as a result. The hotel chain has now been fined 99,200,396 for infringements of GDPR.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Despite the large fine, the ICO said the Marriott has co-operated with its investigation and has made improvements to its security arrangements since the breach came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

It's been a busy week for the UK's data watchdog after announced its intent on Monday to fine British Airways for a similar data breach in September 2018. On that occasion, the penalty was a record-breaking 183 million after hackers compromised the personal data of half a million customers.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Most Popular

BT and Cisco partner to help businesses responsibly dispose of unwanted IT equipment
sustainability

BT and Cisco partner to help businesses responsibly dispose of unwanted IT equipment

5 Oct 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022