UK data watchdog to fine hotel giant Marriott almost £100m

9 Jul 2019

Image: Stas_K/Depositphotos

The UK’s data protection authority has confirmed that it will serve Marriott with a fine of more than £99m in relation to a breach of the company’s Starwood guest database.

The UK Information Commissioner’s Office (ICO) has today, 9 July, confirmed its intent to mete out a hefty fine in excess of £99m to hotel giant Marriott for infringements of the General Data Protection Regulation (GDPR).

The fine relates to an incident disclosed in 2018 in which the company’s Starwood database was compromised. As many as 383m guest records were compromised, though the company has previously said that it is unable to determine the exact amount “due to the nature of the database”. The ICO believes that 30m of those guests were residents of the European Economic Area (EEA) and 7m were UK residents.

It is believed that more than 5m unencrypted passport numbers and millions more encrypted payment cards were accessed by threat actors during the attack. Though the breach was dated back to 2014, it was not discovered until November 2018.

The company subsequently phased out the Starwood reservation database completely, effective by the end of 2018. Starwood brands include Westin Hotels & Resorts, St Regis, Sheraton Hotels, W Hotels and a number of different branded timeshare properties.

In a statement, the ICO said that its investigation found that the Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”. Marriott acquired Starwood in 2016, two years after the breach is thought to have taken place.

UK information commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott issued an update on the situation in a filing made today with the US Securities and Exchange Commission. In it, chief executive Arne Sorenson said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

Just yesterday, the ICO announced its intention to level a record £183m fine against British Airways for a skimming breach that affected 500,000 customers. This amounts to 1.5pc of the airline’s world turnover in 2017.

Marriott hotel sign. Image: Stas_K/Depositphotos.

Eva Short was a journalist at Silicon Republic