ICO intends to fine Marriott International, Inc more than £99m for data breach

Marriott International has received a notification from the Information Commissioner’s Office (ICO) of the regulator’s intention to fine the hotel chain £99,200,396.

In November 2018, Marriott disclosed that their Starwood reservation database had been compromised between 2014 and 2018.

The breach resulted in approximately 339 million guest records globally being exposed, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). 

Following an investigation by the ICO, it was found that Marriott had failed to undertake sufficient due diligence when it had acquired Starwood in 2016, and that more should have been done to secure its systems.

Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott has co-operated with the ICO investigation and since the incident improvements have been made relating to its security agreements. 

In a statement, Marriott Chief Executive Officer Arne Sorenson said:

“We are disappointed with this notice of intent from the ICO, which we will contest.”

Before a final decision is made, the ICO will consider the representations made by the company and other data protection authorities.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.