UK supervisory body plans to fine Marriott at £ 99 million

Copyright of the image
Getty Images

The UK's data privacy regulator has announced plans to impose a £ 99.2 million fine on the Marriott International hotel group.

The penalty is related to a data breach that resulted in the disclosure of their personal data to approximately 339 million guests.

The incident would date back to 2014 but was only discovered in 2018.

This was a day after the Office of the Information Commissioner (ICO) announced its intention to fine £ 183 million to British Airways for a separate offense.

The magnitude of both sanctions is due to the fact that the watchdog has more extensive powers thanks to the EU's General Data Protection Regulation (GPR), which came into force last year.

The Marriott data breach involved 30 million European-owned records. This happened within Starwood, a rival hotel group acquired by Marriott three years ago. The compromised guest reservation system has since been removed.

Marriott International's President, Arne Sorenson, said: "We are disappointed with this statement of intent by the ICO, which we will challenge." Marriott has cooperated with the OIC throughout its incident investigation, which involved a criminal attack against the Starwood Guest Booking Database.

"We deeply regret that this incident has occurred.We take the privacy and security of customer information very seriously and continue our efforts to achieve the level of excellence expected of our customers by Marriott."

The ICO stated that Marriott had not properly reviewed Starwood's data practices and should have done more to secure its systems.

"The GDPR makes it clear that organizations must be responsible for the personal data that they hold," said Information Commissioner Elizabeth Denham.

"This may include exercising due diligence when acquiring a business and putting in place appropriate accountability measures to evaluate not only the personal data that has been acquired, but also how it is done. are protected. "

Senior researcher at CyberInt security firm Jason Hill said, "Draconian fines … are a warning to all organizations, large and small."

"While this may be a big blow to a company like BA or Marriott, they are tough enough to deal with the storm, and a smaller organization that is severely violated may be overtaken by any penalty. combined with the loss of consumer confidence and resulting damage to reputation, with devastating consequences for its business. "