Marriott International fined £18.4m for 2014 data breach

The decision to issue a substantially lower fine once again raises questions as to the effectiveness of GDPR enforcement

The UK data regulator has issued Marriott International with a watered-down £18.4 million fine for a data breach that affected 339 million guest records worldwide.

The sum has been significantly reduced from the initial £99 million notice of intent to fine that the Information Commissioner’s Office (ICO) first issued the hotel chain in July 2019.

This also follows news that the regulator had dramatically slashed the £183 million fine levied against British Airways to £20 million for a breach that compromised data belonging to 400,000 customers and staff.

”Personal data is precious and businesses have to look after it,” said the Information Commissioner, Elizabeth Denham. “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR rules. 

As a result of the attack, which lasted between 2014 and 2018, roughly seven million guest records of UK residents were affected, with personal data stolen including names and email addresses, as well as unencrypted passport numbers, arrival and departure information, as well as loyalty programme membership numbers.

As with the BA fine, the ICO settled on the vastly reduced penalty after taking the effects of the COVID-19 pandemic on Marriot’s business into account, as well as the steps the company has taken to mitigate the effects of the incident.

The ICO acknowledged, in its announcement, that Marriott “acted promptly” to contact customers, and “acted quickly to mitigate the risk” of damage suffered by customers. The regulator also claims the firm has instigated a number of measures to improve security.

These steps included the deployment of real-time monitoring tools, implementing password resets, disabling known compromised accounts, and implementing enhanced detection tools, as well as key cultural changes. 

The ICO initially considered a revised figure of £28 million, before reducing this by 20% to £22.4 million.

This was further reduced to £18.4 million after the ICO applied its ‘COVID-19 policy’, which the regulator acknowledged in its penalty notice is “considerably less than 4%, indeed considerably less than 1%, of Marriott’s total worldwide annual turnover”.

Many may argue that the company failed to learn lessons from the initial data breach as the company suffered a second major security incident in March this year, affecting 5.2 million guests. Hackers, in this instance, accessed individuals’ contact information, company, gender, and birthday, among other details.

Both the BA and Marriott decisions, which saw collective fines of £282 million reduced to roughly £38 million, suggests the ICO is adopting a relatively lax approach to enforcing GDPR amid the ongoing pandemic. However, although COVID-19 is certainly a factor in the contraction, Marriott's penalty was already vastly reduced before the ICO applied the contextual COVID-19 policy to the case.

Related Resource

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

"Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems," a company spokesperson told IT Pro

"The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests."

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Four tips for keeping your business secure during mass remote work
data protection

Four tips for keeping your business secure during mass remote work

19 Feb 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

2 Feb 2021
10 ways to protect your company from the next big data breach
data breaches

10 ways to protect your company from the next big data breach

28 Jan 2021
Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Oxford University COVID lab falls victim to hackers
hacking

Oxford University COVID lab falls victim to hackers

26 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021