Marriott International fined £18.4m for 2014 data breach

The decision to issue a substantially lower fine once again raises questions as to the effectiveness of GDPR enforcement

The UK data regulator has issued Marriott International with a watered-down £18.4 million fine for a data breach that affected 339 million guest records worldwide.

The sum has been significantly reduced from the initial £99 million notice of intent to fine that the Information Commissioner’s Office (ICO) first issued the hotel chain in July 2019.

This also follows news that the regulator had dramatically slashed the £183 million fine levied against British Airways to £20 million for a breach that compromised data belonging to 400,000 customers and staff.

”Personal data is precious and businesses have to look after it,” said the Information Commissioner, Elizabeth Denham. “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR rules. 

As a result of the attack, which lasted between 2014 and 2018, roughly seven million guest records of UK residents were affected, with personal data stolen including names and email addresses, as well as unencrypted passport numbers, arrival and departure information, as well as loyalty programme membership numbers.

As with the BA fine, the ICO settled on the vastly reduced penalty after taking the effects of the COVID-19 pandemic on Marriot’s business into account, as well as the steps the company has taken to mitigate the effects of the incident.

The ICO acknowledged, in its announcement, that Marriott “acted promptly” to contact customers, and “acted quickly to mitigate the risk” of damage suffered by customers. The regulator also claims the firm has instigated a number of measures to improve security.

These steps included the deployment of real-time monitoring tools, implementing password resets, disabling known compromised accounts, and implementing enhanced detection tools, as well as key cultural changes. 

The ICO initially considered a revised figure of £28 million, before reducing this by 20% to £22.4 million.

This was further reduced to £18.4 million after the ICO applied its ‘COVID-19 policy’, which the regulator acknowledged in its penalty notice is “considerably less than 4%, indeed considerably less than 1%, of Marriott’s total worldwide annual turnover”.

Many may argue that the company failed to learn lessons from the initial data breach as the company suffered a second major security incident in March this year, affecting 5.2 million guests. Hackers, in this instance, accessed individuals’ contact information, company, gender, and birthday, among other details.

Both the BA and Marriott decisions, which saw collective fines of £282 million reduced to roughly £38 million, suggests the ICO is adopting a relatively lax approach to enforcing GDPR amid the ongoing pandemic. However, although COVID-19 is certainly a factor in the contraction, Marriott's penalty was already vastly reduced before the ICO applied the contextual COVID-19 policy to the case.

Related Resource

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Why you need to protect your data resources - whitepaperDownload now

"Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems," a company spokesperson told IT Pro

"The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?

What is cyber warfare?

15 Oct 2021