Home News Marriott International Slapped with $123 Mn GDPR Fine for 2014 Data Breach

Marriott International Slapped with $123 Mn GDPR Fine for 2014 Data Breach

Marriott International’s Data Breach Exposes Records of 5.2 Million Guests

The U.K.’s Information Commissioner’s Office (ICO) imposed £18.4 million ($23.92 million) fine on Marriott International Inc. for violating the GDPR guidelines. The data privacy regulator stated that Marriott has failed to protect the personal data of millions of its customers. Around 339 million guest records worldwide were affected after a cyberattack on Starwood Hotels and Resorts Worldwide Inc. in 2014, remained undetected until September 2018, by when the company had been acquired by Marriott.

Attack Background

In 2014, an unknown attacker installed a malware code in the Starwood systems to obtain access to the contents remotely. With unrestricted access to the infected device, attackers distributed malware to other devices on the network to steal customers’ sensitive information. The exposed information included names, email addresses, unencrypted passport numbers, phone numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.

Related Story: Four Biggest GDPR Fines of 2020

Violation Penalty

The ICO’s investigation found that Marriott failed to put appropriate security measures to protect its customers’ data being processed on its systems, as per the GDPR.

In July 2019, the ICO issued Marriott with a notice of intent to fine up to £99,200,396 ($123 million) for violating the data breach regulations. However, the regulator decreased the penalty amount considering the economic impact of COVID-19 on their business.

Information Commissioner, Elizabeth Denham said, “Personal data is precious, and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Related Story: Marriott International faces $123 million GDPR fine