US hospitality company Marriott International has been fined £18.4m by the UK’s Information Commissioner’s Office (ICO) over a data breach resulting from a cyber-attack in 2014 that impacted 339 million guest records across the world.
The cyber-attack was on Starwood Hotels and Resorts Worldwide, which was acquired by Marriott International in 2016.
However, the ICO said that the attack, which came from an unknown source, continued to be undetected till September 2018, by which time Starwood Hotels and Resorts Worldwide was acquired by the US hospitality company.
According to the British data protection watchdog, the personal data that could have been compromised differed between individuals. It could have included names, phone numbers, email addresses, unencrypted passport numbers, arrival/departure information, loyalty programme membership number, and guests’ VIP status.
The ICO said that the exact number of people impacted by the data breach is not clear as there could have been various records for an individual guest. Seven million guest records are associated with UK residents, said the data protection watchdog.
Its probe concluded that Marriott International failed to implement appropriate technical or organisational measures for safeguarding the personal data being processed on its systems, as needed by the European Union’s General Data Protection Regulation (GDPR).
Information Commissioner Elizabeth Denham said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The ICO probed the data breach under the GDPR on behalf of all European Union authorities as lead supervisory authority as it had happened before Brexit.
Earlier this month, the ICO imposed a fine of £20m on British Airways over a data breach that affected more than 400,000 customers following a cyber-attack in 2018.