The Information Commissioner’s Office (ICO) has fined Marriott £18.4 million over a 2014 data breach, heavily reducing the penalty originally planned due to COVID-19 disruption.
The Marriot hotel group was subject to a 2014 data breach impacting the Starwood resort chain, acquired by Marriott in 2015.
At the time, threat actors were able to infiltrate Starwood systems and execute malware via a web shell, including remote access tools and credential harvesting software.
The attackers were then able to enter databases used to store guest reservation data including names, email addresses, phone numbers, passport numbers, travel details, and loyalty program information.
The compromise continued until 2018, and over the course of four years, information belonging to roughly 339 million guests was stolen. In total, seven million records relating to UK guests were exposed.
The ICO says the company failed to meet the security standards required by GDPR due to failures to “put appropriate technical or organizational measures in place” when processing data, and as such, the company contravened data protection requirements now enforced through 2018 GDPR regulations.
However, the watchdog acknowledged that “Marriott acted promptly to contact customers and the ICO” once the cybersecurity incident was uncovered, and “acted quickly to mitigate the risk of damage suffered by customers.”
The hotel chain, alongside rivals such as Hilton, has been forced to slash thousands of jobs as travel plans, business trips, and holidays were canceled due to the coronavirus pandemic. After posting its first quarterly loss in close to a decade, the company said it expects a cash burn of $85 million a month in 2020.
Due to Marriott’s current struggles and with the company’s recent security improvements in mind, the ICO has still issued a fine — but one drastically cut from its originally-proposed penalty of over £99 million.
The original notice of intent to fine, issued in July 2019, was set to £99,200,396 for GDPR violations. However, the ICO says that talks with Marriot, security improvements, and the economic damage caused by COVID-19 has led to the revised figure.
“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” commented Elizabeth Denham, UK Information Commissioner. “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Last month, British Airways was fined £20 million by the ICO after cyberattackers stole information belonging to over 400,000 customers in 2018.