Marriott fined up to £99m for data breach

by XPRESS, 15 July 2019

Multinational hotel chain, Marriott is facing fines of up to £99m after a breach of data which could have affected 339 million customers. The breach is believed to have originated in the Starwood hotels systems in 2014.

The news comes just shortly after British Airways was fined £183m for a breach of consumers' financial data. The airline claimed that around 380,000 credit and debit cards had been compromised.

Marriott bought Starwood in 2016 but did not disclose the breach until November 2018.

The Information Commissioner’s Office (ICO) said that the chain had not maintained due diligence when it purchased Starwood and should have done more to ensure the systems were safe.

Last year lawmakers in the EU introduced GDPR (General Data Protection Regulation) which gave regulators more power to penalize organisations for data breaches.

Starwood hotels include Trump Turnberry in Ayrshire, as well as numerous Sheraton hotels and Westin Hotel and Resorts.

President and chief executive of Marriott International, Arne Sorenson said that the company was "disappointed" with the ICO's decision and that it would appeal the fine.

"Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."

When Marriott first disclosed the breach in 2018, they claimed that guest records of around 339 million people had been compromised which included around five million passport numbers that were not encrypted. It is estimated that around 7 million of those records belonged to UK residents.

Elizabet Denham, Information Commissioner, said: "The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Emma Richardson