The UK’s Information Commissioner’s Office (ICO) has imposed a £99,200,396 ($123,705,870) fine on Marriott International, a popular hospitality group, for the data breach reported in 2018. The ICO stated that Marriott has failed to protect its customers’ information, thus violating the EU’s General Data Protection Regulation (GDPR) regulations.
Marriott faced a massive data breach affecting up to 500 million guests last year. Hackers extracted people’s personal data as well as a loyalty program, payment, and reservation information. That’s not all, encrypted credit card data of 100 million customers was also stolen.
The first breach originated in 2014 at Starwood, which was acquired by Marriott International in 2016. It was uncovered after four years in September 2018, when a security tool alerted about an unauthorized data access. Consequently, the company faced a class-action suit, and its shares also fell around 5.6%.
According to the investigation, hackers stole 383 million guest records, 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment card numbers, and 385,000 card numbers that were still valid at the time of the breach.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” said Elizabeth Denham, the Information Commissioner. “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott International’s President and CEO, Arne Sorenson. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The proposed fine on Marriott comes a day after the ICO announced a £183.39 million ($230 million) GDPR fine against British Airways. The proposed fine relates to a data breach notified to the ICO by British Airways in September 2018, that exposed around 500,000 customers’ personal information.
The ICO said its investigation found that the breach compromised customer details, including login, payment card, name, address, and travel booking information which is collected after being diverted to a fraudulent website. The data breach, which began in June 2018, occurred due to the poor security measures to protect customer information, ICO stated.