(“Starwood”) (acquired by Marriott in 2016), affected an estimated 339 million guest records globally, with seven million records relating to individuals in the UK.
The personal data involved differed but was encrypted and unencrypted; and may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number, according to the Information Commissioner’s Office (ICO). The breach is thought to have affected around 30 million users across the European Union, per an earlier ICO estimate.
An investigation revealed that the hotelier failed to implement appropriate technical or organisational measures to protect its customers.
Marriott International has been fined £18.4m by the Information Commissioner’s Office (ICO) for a breach of the General Data Protection Regulation (GDPR) in failing to protect the personal data of millions of its customers. This sounds logical, but we must not overlook Marriott’s recent failure to protect customer data again, even after all that had happened previously.
“Within just two weeks, the ICO has now issued a fine of £20m to British Airways and £18.4m to Marriott”.
It added: “Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use”.
Marriott said it regrets the incident but makes no admission of liability.
The penalty had to be signed off by other European Union data protection authorities, under the GDPR’s one-stop-shop mechanism for cross-border cases.
Prior to 2018, the maximum penalty available to the ICO was £500,000 across the board.
One fascinating ingredient right here is the distinction between the preliminary penalty proposed by the ICO and the ultimate superb. But the new statutes have given the watchdog the power to penalise breaches of data-protection law with fines of about £18m or 4% of the global turnover of the organisation in question – whichever figure is greater. Prior to that, data protection rules existed in the region but could be easily ignored, given puny penalties. The GDPR was supposed to vary that.
However, nearly 2.5 years since the framework begun being applied, large fines remain rare – with a backlog of major cross-border cases still awaiting decisions. Today’s haircut revises that. The first figure proposed represented around 3% of the company’s 2018 revenue (circa $3.6 billion) – but that’s now shrunk to around 0.6%.
It follows a really comparable episode on the ICO over a BA knowledge breach. However, our research earlier this year suggested that Marriott had not learned lessons from previous data breaches and still had serious vulnerabilities on its websites that could leave customers exposed to opportunistic cybercriminals.
In each instances the impression of the coronavirus seems to be enjoying some half in explaining why the ICO has lowered the dimensions of the penalties. Though the pandemic is likely to be one thing of a helpful scapegoat given the substantial measurement of the reductions concerned.
The officer justified the decision by mentioning Marriott’s responsible stance, as well as the COVID-19 situation.
And to make matters worse, in April this year, Marriott confirmed it had suffered a second data breach, that had compromised the personal data of roughly 5.2 million guests around the world. It also said it offered guests the opportunity to sign up for a personal information monitoring service where it was available. ICO is still investigating that incident, so no fines have been decided for it yet.
Requested for a view on the ICO’s penalty haircuts, Tim Turner, a United Kingdom based mostly knowledge safety coach and advisor, agreed that the coronavirus appears like a helpful scapegoat.