The Information Commissioner’s Office has fined Marriott hotels (MAR) £18.4m ($23.9m) over a hack which saw the data of over 339 million customers compromised.
A cyber attack, from an unknown source, which affected the systems of the Starwood hotels group in 2014 was not detected until 2018, two years after Starwood was acquired by Marriott. Starwood hotels include Trump Turnberry in Ayrshire, London’s Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly.
Investigators found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems.
In July last year, ICO said that it would fine Marriott £99m, but due to the economic impact of COVID-19 and steps taken by the company to mitigate the effects of the incident, the watchdog reduced the fine.
Marriott told Yahoo Finance UK it “deeply regrets the incident.” It said: “Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems.
“The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
Marriott said it does not intend to appeal over the decision, but makes “no admission of liability in relation to the decision or the underlying allegations.”
The firm wants to “reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use,” Marriott said in a company statement.
ICO’s decision brings an end to the two-year UK and EU regulatory investigation.
Because the incident happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the General Data Protection Regulation (GDPR).
Information Commissioner, Elizabeth Denham, said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
While, the exact number of people affected is unclear as there may have been multiple records for individual guests, around 7 million records relate to people in the UK.
It is believed the personal data that was accessed may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
“The total number of guest records is distinct from the total number of individuals whose information may have been involved in the incident, which is believed to be significantly lower than 339 million,” Marriott said.
Earlier this month, ICO fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
The watchdog found that there were “numerous measures” BA could have used to prevent or reduce the impact of the attack, including undertaking rigorous testing on its systems and protecting accounts with multi-factor authentication. It said that none of the measures would have involved “excessive cost or technical barriers” and some were available through the operating system being used by BA.
ICO said that the airline had made “considerable improvements to its IT security” since the attack.
Watch: Why tax rises may be inevitable in Britain