ICO slaps Marriott with £99.2m fine over Starwood breach

The Information Commissioner's Office (ICO) has announced another multi-million pound fine under the General Data Protection Regulation (GDPR), this time against hotel giant Marriott International for a data breach which took place at subsidiary Starwood back in 2014 but was not discovered until 2018.

The EU General Data Protection Regulation (GDPR) brings the UK's privacy watchdog, the Information Commissioner's Office (ICO), vastly improved powers to fine companies found to have been negligent in their handling, transmission, and storage of personally identifiable information (PII): While the previous Data Protection Act (DPA) had placed an upper limit on fines of £500,000, itself a doubling of the previous £250,000 limit, GDPR allows for fines of up to £17.92 million or four percent of a company's annual global turnover, whichever is greater. Information Commissioner Elizabeth Denham showed no hesitation to use the increased limit earlier this week when she announced a record-breaking £183 million fine against British Airways over a data breach which included the loss of payment card information.

Just days later, Denham has announced another multi-million pound fine for a company involved in a major data breach - this time Marriott Hotels, which leaked personal data on some 339 million guests of which 30 million were residents of the European Economic Area (EEA) and seven million from the UK. For its part in the breach, the company is to be fined £99.2 million.

'The GDPR makes it clear that organisations must be accountable for the personal data they hold,' Denham explains of the fine. 'This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.'

The Marriott breach is interesting in two regards. The first is that the breach occurred back in 2014 in systems of the Starwood Hotel Group, which was only acquired by Marriott in 2016 - after the breach had taken place. It took a further two years, however, for Marriott and its Starwood subsidiary to discover the breach and disclose it to authorities, which the ICO claims shows a failure to undertake sufficient due diligence at the time of acquisition and a further failure to properly secure the systems against attack.

Previously, companies have been fined under the terms of the older Data Protection Act for breaches which took place prior to the adoption of the General Data Protection Regulations; Marriott, however, is being fined under the GDPR thanks to its failure to discover and disclose the breach until after the GDPR came into force.

'We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,' claims Marriott International president and chief executive Arne Sorenson. 'We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.'

The fine is not yet set in stone: The ICO has issued a 'notice of intention,' but will accept an appeal from Marriott International along with comments from data protection authorities in other EU member states whose citizens were affected by the breach.