US hotel giant Marriott International could get a £99.2m (AU$178m) fine from the UK’s privacy watchdog over a multi-year breach of the reservation database of Starwood Hotels, which it acquired in 2016.
Marriott discovered the breach on September 8, 2018 but waited until November 30 to disclose the incident, which gave attackers access to Marriott’s sibling brand’s Starwood database since 2014. The initial 500 million customers Marriott initially estimated to be affected was reduced to 383 million.
While 9.1 million encrypted payment card numbers were copied by the attackers, the long-running breach gave them access to several hundred million customers’ sensitive personal information including copies of passports, dates of birth, and reservation dates.
Marriott on Tuesday filed a report with the US Securities and Exchanges Commission (SEC) disclosing the UK Information Commission’s Office (ICO) proposed fine of £99,200,396 for violating Europe’s new General Data Protection Regulation (GDPR), which came into effect in May 2018.
“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” said Marriott International’s President and CEO, Arne Sorenson.
News of Marriott’s fine came a day after the ICO announced the largest ever GDPR fine of £183 million for British Airways (BA) over a 2018 website breach that affected 500,000 customers. BA plans on challenging the fine.
Marriott Hotels also intends to challenge its fine, as is Google, which copped a €50m GDPR fine from France’s privacy watchdog due to its approach to consent on Android.
The ICO today said that 30 million European residents were impacted by the Marriott breach, including seven million UK residents. The breach of Starwood’s reservation system occurred two years before Marriott acquired it in 2016. The ICO led the EU investigation into the Marriott breach on behalf of other EU member regulators.
The ICO has ruled that Marriott failed to undertake “sufficient due diligence” when it bought Starwood and should have done more to bolster security.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” said ICO commissioner Elizabeth Denham.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”