Marriott International fined £18.4m for 2014 data breach

The decision to issue a substantially lower fine once again raises questions as to the effectiveness of GDPR enforcement

The UK data regulator has issued Marriott International with a watered-down £18.4 million fine for a data breach that affected 339 million guest records worldwide.

The sum has been significantly reduced from the initial £99 million notice of intent to fine that the Information Commissioner’s Office (ICO) first issued the hotel chain in July 2019.

This also follows news that the regulator had dramatically slashed the £183 million fine levied against British Airways to £20 million for a breach that compromised data belonging to 400,000 customers and staff.

”Personal data is precious and businesses have to look after it,” said the Information Commissioner, Elizabeth Denham. “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR rules. 

As a result of the attack, which lasted between 2014 and 2018, roughly seven million guest records of UK residents were affected, with personal data stolen including names and email addresses, as well as unencrypted passport numbers, arrival and departure information, as well as loyalty programme membership numbers.

As with the BA fine, the ICO settled on the vastly reduced penalty after taking the effects of the COVID-19 pandemic on Marriot’s business into account, as well as the steps the company has taken to mitigate the effects of the incident.

The ICO acknowledged, in its announcement, that Marriott “acted promptly” to contact customers, and “acted quickly to mitigate the risk” of damage suffered by customers. The regulator also claims the firm has instigated a number of measures to improve security.

These steps included the deployment of real-time monitoring tools, implementing password resets, disabling known compromised accounts, and implementing enhanced detection tools, as well as key cultural changes. 

The ICO initially considered a revised figure of £28 million, before reducing this by 20% to £22.4 million.

This was further reduced to £18.4 million after the ICO applied its ‘COVID-19 policy’, which the regulator acknowledged in its penalty notice is “considerably less than 4%, indeed considerably less than 1%, of Marriott’s total worldwide annual turnover”.

Many may argue that the company failed to learn lessons from the initial data breach as the company suffered a second major security incident in March this year, affecting 5.2 million guests. Hackers, in this instance, accessed individuals’ contact information, company, gender, and birthday, among other details.

Both the BA and Marriott decisions, which saw collective fines of £282 million reduced to roughly £38 million, suggests the ICO is adopting a relatively lax approach to enforcing GDPR amid the ongoing pandemic. However, although COVID-19 is certainly a factor in the contraction, Marriott's penalty was already vastly reduced before the ICO applied the contextual COVID-19 policy to the case.

Related Resource

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

"Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems," a company spokesperson told IT Pro

"The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests."

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020