The UK Information Commissioner’s Office (ICO) has fined US-headquartered Marriott International £18.4 million for failing to keep millions of customers’ personal data secure.

Marriott estimated that 339 million guest records worldwide were affected following a cyber attack in 2014 on Starwood Hotels and Resorts Worldwide. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

Earlier this month, the ICO fined British Airways £20 million - its biggest fine levied so far - for failing to protect the personal and financial details of more than 400,000 customers. That breach took place in June 2018.

The Marriott personal data involved differed between individuals, but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK, said the ICO.

The regulator's investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure - thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

The ICO’s investigation traced the cyber attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

Commenting on the action, Adam Rose, a partner at legal firm Mishcon de Reya, said: “This decision puts an inordinate strain on a buyer of a company - with all its due diligence and warranty protections, Marriott did not uncover the data breach, not least because Starwood didn’t know about it.

“This sort of decision does little to protect individuals, or to help successful businesses grow through acquisitions," he continued, adding: "Marriott did all that it reasonably could when making the acquisition, but is now facing a large fine.”

Share Story: