The Information Commissioner’s Office (ICO) has declared their intent to fine hospitality group Marriott International £99.2 million after a data breach reported in November 2018.
The penalty comes shortly after a record-breaking fine of £183 million was handed to British Airways on 8th July for a similar scandal where customer details were taken. Both instances demonstrate the new extensive powers granted to the ICO with regards to GDPR breaches, which can see the watchdog pursue fines of up to 4% of a company’s global annual revenue.
The personal details of around 339 million guests from 31 European countries were exposed in the massive cyberattack which is thought to have started as far back as 2014. Stolen data was made up of credit card details, names, dates of birth and passport number from customers, including 7 million from the UK.
An investigation from the ICO believes that the data breach originated with the Starwood hotels group whose systems were compromised in 2014. When Marriott acquired Starwood for £10.8 billion in 2016 and the two groups merged in 2018, Marriott took control of the data held by Starwood. The investigation claims that Marriott did not carry out sufficient checks on Starwood’s data operations, and ‘should have done more to secure its systems’.
On a basic level, the GDPR is designed as a direct replacement for the Data Protection Act, which was introduced in 1995 as a UK equivalent to the EU's 1995 Data Protection Directive.
Affecting all UK companies that collect or process personal information on EU citizens, the new laws are intended to help protect the privacy and rights of individual consumers, giving data subjects more clearly delineated rights regarding what data is held about them, how it can be used, and when it should be deleted.
Although the new law reduces the overall number of principles from eight to six, the revamped regulations will be much broader in scope than the existing ones, handing the consumer greater control over their own personal data, and imposing harsh penalties on organisations that fail to comply.
Still in the dark about GDPR? Click here and check out all of our GDPR resources.
Information Commissioner Elizabeth Denham had the following to say on the investigation’s findings:
‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’
In light of the scandal and investigation, Marriott has improved its security on customer data files and the compromised data system has been dropped from Starwood operations. The hospitality group, one of the largest in the world, has also challenged the findings and will be appealing through representations to the ICO.
Marriott’s president and CEO Arne Sorenson said in a press release: ‘We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident.’
‘We deeply regret this incident happened,’ he continued, ‘we take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.’.
The final decision will be taken by the ICO, with input from other data authorities throughout Europe.
At Virtual College, we understand the importance of GDPR, and the serious implications of a company not being compliant. Therefore, we offer comprehensive GDPR courses to businesses to help them avoid a similar situation.