IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Marriott International fined £18.4m for 2014 data breach

The decision to issue a substantially lower fine once again raises questions as to the effectiveness of GDPR enforcement

The UK data regulator has issued Marriott International with a watered-down £18.4 million fine for a data breach that affected 339 million guest records worldwide.

The sum has been significantly reduced from the initial £99 million notice of intent to fine that the Information Commissioner’s Office (ICO) first issued the hotel chain in July 2019.

This also follows news that the regulator had dramatically slashed the £183 million fine levied against British Airways to £20 million for a breach that compromised data belonging to 400,000 customers and staff.

”Personal data is precious and businesses have to look after it,” said the Information Commissioner, Elizabeth Denham. “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR rules. 

As a result of the attack, which lasted between 2014 and 2018, roughly seven million guest records of UK residents were affected, with personal data stolen including names and email addresses, as well as unencrypted passport numbers, arrival and departure information, as well as loyalty programme membership numbers.

As with the BA fine, the ICO settled on the vastly reduced penalty after taking the effects of the COVID-19 pandemic on Marriot’s business into account, as well as the steps the company has taken to mitigate the effects of the incident.

The ICO acknowledged, in its announcement, that Marriott “acted promptly” to contact customers, and “acted quickly to mitigate the risk” of damage suffered by customers. The regulator also claims the firm has instigated a number of measures to improve security.

These steps included the deployment of real-time monitoring tools, implementing password resets, disabling known compromised accounts, and implementing enhanced detection tools, as well as key cultural changes. 

The ICO initially considered a revised figure of £28 million, before reducing this by 20% to £22.4 million.

This was further reduced to £18.4 million after the ICO applied its ‘COVID-19 policy’, which the regulator acknowledged in its penalty notice is “considerably less than 4%, indeed considerably less than 1%, of Marriott’s total worldwide annual turnover”.

Many may argue that the company failed to learn lessons from the initial data breach as the company suffered a second major security incident in March this year, affecting 5.2 million guests. Hackers, in this instance, accessed individuals’ contact information, company, gender, and birthday, among other details.

Both the BA and Marriott decisions, which saw collective fines of £282 million reduced to roughly £38 million, suggests the ICO is adopting a relatively lax approach to enforcing GDPR amid the ongoing pandemic. However, although COVID-19 is certainly a factor in the contraction, Marriott's penalty was already vastly reduced before the ICO applied the contextual COVID-19 policy to the case.

Related Resource

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Why you need to protect your data resources - whitepaperDownload now

"Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems," a company spokesperson told IT Pro

"The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests."

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

Europe's first autonomous petrol station opens in Lisbon

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022