Marriott Fined £18.4m Over Data Breach

The Information Commissioner's Office (ICO) has fined hotel chain Marriott International £18.4m over a data breach that exposed the information of millions of guests worldwide. 

The UK's independent body set up to uphold information rights imposed the financial penalty on Marriott for "failing to keep millions of customers' personal data secure."

In November 2018, Marriott reported a data breach that saw an estimated 339 million guest records exposed globally, of which around seven million related to UK residents. An investigation into the incident revealed that an unauthorized party had been accessing the network of Starwood Hotels and Resorts Worldwide Inc. since 2014, copying and encrypting information.

The attack remained undetected until September 2018, by which time Starwood had been acquired by Marriott. 

The personal data involved in the breach differed between individuals, but the ICO said that it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.

An investigation into the incident by the ICO found that Marriott "failed to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR)."

However, the ICO recognized that Marriott was swift to act once the breach had been discovered, contacting customers and the ICO promptly. 

"It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures ..

Support the originator by clicking the read the rest link below.