Marriott International fined £18.4m for 2014 data breach

The decision to issue a substantially lower fine once again raises questions as to the effectiveness of GDPR enforcement

The UK data regulator has issued Marriott International with a watered-down £18.4 million fine for a data breach that affected 339 million guest records worldwide.

The sum has been significantly reduced from the initial £99 million notice of intent to fine that the Information Commissioner’s Office (ICO) first issued the hotel chain in July 2019.

This also follows news that the regulator had dramatically slashed the £183 million fine levied against British Airways to £20 million for a breach that compromised data belonging to 400,000 customers and staff.

”Personal data is precious and businesses have to look after it,” said the Information Commissioner, Elizabeth Denham. “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR rules. 

As a result of the attack, which lasted between 2014 and 2018, roughly seven million guest records of UK residents were affected, with personal data stolen including names and email addresses, as well as unencrypted passport numbers, arrival and departure information, as well as loyalty programme membership numbers.

As with the BA fine, the ICO settled on the vastly reduced penalty after taking the effects of the COVID-19 pandemic on Marriot’s business into account, as well as the steps the company has taken to mitigate the effects of the incident.

The ICO acknowledged, in its announcement, that Marriott “acted promptly” to contact customers, and “acted quickly to mitigate the risk” of damage suffered by customers. The regulator also claims the firm has instigated a number of measures to improve security.

These steps included the deployment of real-time monitoring tools, implementing password resets, disabling known compromised accounts, and implementing enhanced detection tools, as well as key cultural changes. 

The ICO initially considered a revised figure of £28 million, before reducing this by 20% to £22.4 million.

This was further reduced to £18.4 million after the ICO applied its ‘COVID-19 policy’, which the regulator acknowledged in its penalty notice is “considerably less than 4%, indeed considerably less than 1%, of Marriott’s total worldwide annual turnover”.

Many may argue that the company failed to learn lessons from the initial data breach as the company suffered a second major security incident in March this year, affecting 5.2 million guests. Hackers, in this instance, accessed individuals’ contact information, company, gender, and birthday, among other details.

Both the BA and Marriott decisions, which saw collective fines of £282 million reduced to roughly £38 million, suggests the ICO is adopting a relatively lax approach to enforcing GDPR amid the ongoing pandemic. However, although COVID-19 is certainly a factor in the contraction, Marriott's penalty was already vastly reduced before the ICO applied the contextual COVID-19 policy to the case.

Related Resource

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Why you need to protect your data resources - whitepaperDownload now

"Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems," a company spokesperson told IT Pro

"The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests."

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Defend your organisation from evolving ransomware attacks
ransomware

Defend your organisation from evolving ransomware attacks

18 May 2021
Enabling operational resiliency with Veritas
Whitepaper

Enabling operational resiliency with Veritas

18 May 2021
Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021
Peloton security bug could expose user data
data protection

Peloton security bug could expose user data

6 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021