UK authorities fine Marriott £99 million over data breach

UK authorities fine Marriott £99 million over data breach
Legal

The UK’s data protection authority is issuing a £99 million fine against US hotel company Marriott, over a data breach that exposed personal information from over 330 million guests, according to BBC News

Marriott reported the incident last year, although it dates back to 2014. Hackers breached the central reservation database of Starwood, a rival hotel group acquired by Marriott in 2016, accessing five million unencrypted passport numbers and eight million credit card numbers. The reservation system has been phased out since the incident. About 30 million European Union residents were affected. 

Europe’s strict General Data Protection Regulation (GDPR) has empowered authorities like the UK’s Information Commissioner’s Office (ICO) to take a tougher approach against companies involved in privacy violations. Regulators can opt to fine companies as much as 4 percent of their annual revenue. In this case, the ICO’s fine represents about 3 percent of Marriott’s 2018 turnover. 

“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” Marriott International President Arne Sorenson said in a filing with the US Securities and Exchange Commission.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

According to the ICO, Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

They said Marriott will have the chance to discuss the findings and penalty before a final decision is made. But Information Commissioner Elizabeth Denham noted that “the GDPR makes it clear that organizations must be accountable for the personal data they hold.”

A day earlier, the ICO had issued a £183 million fine against British Airways over another data breach, in which credit card information from 500,000 customers was hacked between August and September of last year. 

Jason Hill, lead researcher with security company CyberInt, called the large fines “a wake-up call to all organizations, big and small,” noting that smaller companies could be devastated by a large fine combined with a loss of consumer confidence. 

According to Denham:

“Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Photo by || UggBoy♥UggGirl || PHOTO || WORLD || TRAVEL || [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)]