The UK’s data privacy watchdog Information Commissioner’s Office (ICO) has fined Marriott International £18.4m for a major data breach.
The penalty is related to a cyber-attack that hit Starwood Hotels and Resorts Worldwide in 2014. This hotel group was acquired by Marriott in 2016.
The data breach, which is estimated to have compromised personal details of around 339 million guests, remained undetected until September 2018.
An ICO investigation found that Marriott failed to implement appropriate technical or organisational measures to protect these personal data in compliance with the General Data Protection Regulation (GDPR).
However, the penalised amount, which has been imposed on Marriott, considered the period from 25 May 2018, when GDPR became effective.
The investigation was carried by ICO on behalf of all European Union (EU) authorities, as the incident happened when the UK was part of the EU.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataIn a statement, Information Commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The statement also added that Marriott acted promptly on the incident and took prompt action to minimise the risk of damage.
Separately, Marriott International also acknowledged the ICO decision and said that the company ‘deeply regrets the incident’.