The Information Commissioner's Office (ICO) has fined hotel chain Marriott International £18.4m over a data breach that exposed the information of millions of guests worldwide.
The UK's independent body set up to uphold information rights imposed the financial penalty on Marriott for "failing to keep millions of customers' personal data secure."
In November 2018, Marriott reported a data breach that saw an estimated 339 million guest records exposed globally, of which around seven million related to UK residents. An investigation into the incident revealed that an unauthorized party had been accessing the network of Starwood Hotels and Resorts Worldwide Inc. since 2014, copying and encrypting information.
The attack remained undetected until September 2018, by which time Starwood had been acquired by Marriott.
The personal data involved in the breach differed between individuals, but the ICO said that it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.
An investigation into the incident by the ICO found that Marriott "failed to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR)."
However, the ICO recognized that Marriott was swift to act once the breach had been discovered, contacting customers and the ICO promptly.
"It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems," said the commissioner's office.
In July last year, the ICO announced an intention to fine Marriott £99m over the data breach for “infringements of the GDPR.”
In a statement released yesterday, the ICO said: "As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty."
Although the breach dates back to 2014, the GDPR regulations only came into effect in May 2018, two years before the UK left the European Union.