Marriott international Inc was fined under the GDPR, by the ICO, for failing to keep customers’ information safe.
Marriott International Inc has been met with a fine from the ICO with regards to a data breach following a cyber attack initiated in 2014, but discovered in 2018, about which we informed in our blog in July 2019. An estimated 339 million customers were affected by this attack against Starwood Hotels and Resorts Worldwide Inc, which was later acquired by Marriott International Inc. Due to the fact that there may have been multiple records for an individual guest, it is unclear precisely how many people may have been affected. However, seven million guest records related to people in the UK.
Marriott International Inc was fined under the GDPR relating to the data breach from May 2018 while the cyber attack started in 2014.
While ICO’s investigation traced the cyber-attack back to 2014, the company was fined relating to the breach from 25 May 2018, when new GDPR regulations came into effect. Starwood Hotels and Resorts’ system was hacked by an unknown attacker who installed a piece of code, which gave them the ability to access and edit the contents of this device remotely. The attacker therefore had unrestricted access to the device and other devices on the network. The attacker was also able to access login credentials for other users, giving them even more access to more information. Using these login credentials, the cyber attacker was able to gain access to the database storing reservation data for Starwood customers, and by extension, the personal data of hordes of customers. The ICO’s investigation found that Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems. This is required by the GDPR.
The ICO issued Marriott with a notice of intent to fine in July 2019, and was subsequently fined €20.5 million.
Upon discovering the data breach, the Marriott quickly contacted both customers and the ICO, which the supervisory body did acknowledge and consider before issuing the fine. The company also acted speedily to minimize the risk of damage suffered by customers, and has also initiated several measures to improve the security of its systems. The ICO considered the steps taken by the company to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty. The investigation conducted by the ICO involved various exchanges with Marriott and considered detailed submissions and evidence. Marriott International Inc was initially met with a notice of intent to fine in July of 2019, and was subsequently fined €20.5 million. Information Commissioner, Elizabeth Denham, said “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The penalty and action had to have been approved by the other EU DPAs through the GDPR’s cooperation process.
The data breach occurred prior to the UK’s separation from the EU and as such, this process had to involve the other EU DPAs. Article 60 of the GDPR states that the lead supervisory authority should cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. The ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR, and the penalty was approved by the other EU DPAs. Part of this process included submitting a draft decision to the other supervisory authorities, and taking account of their views and opinions. Ultimately, this penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.