The Information Commissioner’s Office has finally settled its legal dispute with Marriott International over its proposed GDPR fine of £99m, and like British Airways before it, the hotel giant has secured a major discount, settling instead on £18.4m.
Earlier this month, Marriott secured a fifth delay to the final decision since the global company was first slapped with a notice of intent by the ICO some 15 months ago.
The incident centred around a 2014 cyber-attack on Starwood Hotels and Resorts Worldwide, estimated to have affected 339 million guest records. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but, according to the ICO investigation, may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
The regulator admitted that the precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by GDPR.
Information Commissioner Elizabeth Denham said: ”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Along with the BA fine, issued earlier this month, the ICO has now levied two of the biggest fines since GDPR came into force. However, it still remains way behind many other countries in Europe when it comes to enforcement.
ICO and Irish DPC ‘among the worst GDPR enforcers’
Deceptive data processing sparks biggest GDPR fines
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Germans issue 27th GDPR fine as H&M is hit for €35m
BA and Marriott block £282m GDPR fines – yet again
Hotel hell: Fresh Marriott data breach hits 5.2 million
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott