By Bev Fearis, published 04/11/20
Marriott International has been forced to pay a fine of £18.4 million following a cyber-attack involving the personal details of up to 339 million hotel guests.
Although sizeable, the penalty is far less than the fine of up to £100 million initially threatened by the Information Commissioner’s Office (ICO).
Paul Cahill, Data Breach Solicitor at Fletchers Data Claims, said: “Whilst it might seem that Marriott has had a lucky escape here with their fine having been reduced from £100 million, similarly to BA recently, the ICO’s decision to reduce the fine was based upon swift action from Marriott to mitigate the effects of the incident, contacting customers quickly and putting in place a number of retroactive measures to improve the security of its systems.
“This highlights the crucial importance of transparency, clear communication and prompt action from businesses when a breach does occur, to minimise financial and reputational damage.”
The cyber attack happened in 2014 on Starwood Hotels and Resorts and wasn’t discovered until September 2018, by which time Starwood had been acquired by Marriott.
The fine only relates to the breach from March 2018 when new GDPR rules came into force.
The exact number of hotel guests affected is not known because there might have been multiple records for an individual guest. Seven million guest records related to people in the UK.
Names, contact information, and passport details could all have been compromised in the attack.
Information Commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”