ICO Fines Marriott International £18.4 Million for GDPR Violation

Share this article on:

The Information Commissioner’s Office (ICO), the data protection authority in the United Kingdom, has imposed a £18.4 million ($23.8 million) financial penalty on Marriott International for violations of the EU’s General Data Protection Regulation (GDPR).

The ICO investigated Marriott over its massive data breach that affected 339 million customers, 30.1 million of whom reside in the EU including 7 million in the UK. The ICO investigators identified multiple security failures and determined Marriott had failed to implement appropriate technical and organizational measures to protect the personal data of EU citizens being processed on its systems, in violation of the GDPR.

The data breach in question affected Starwood Hotels and Resorts Worldwide, which Marriott acquired in 2016. In July 2014, hackers attacked Starwood and installed a web shell on one of its websites which allowed them to access a server and install a remote access Trojan, which gave the attackers persistent access. The attackers were able to explore the network and used Mimikatz tool to steal passwords, then installed malware that allowed them to steal payment card data and personal information. The attackers had full access to the initial compromised device and other devices on the network which the compromised account had access to. The breach was discovered four years later.

The types of data stolen by the attackers varied from individual to individual and may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership numbers.

The financial penalty could have been considerably higher. Under the GDPR, companies found to have violated GDPR provisions can be fined up to €20 million (£18,077,500 / $23,582,460) or 4% of global annual turnover, whichever is greater. In 2019, the ICO announced its intention to fine Marriott £99.2 million ($128.2 million) for the data breach but after considering Marriott’s representations, the speed and thoroughness of its breach response, and the impact COVID-19 has had on the hotel group, the decision was taken to reduce the financial penalty.

The ICO notes that when the breach was discovered, Marriott acted quickly and reported the breach to the appropriate data protection authorities and promptly notified affected customers. Since the breach, Marriott has implemented a range of new measures to improve system security and rapidly detect breaches should they occur. Marriott has issued a statement confirming it will appeal the financial penalty.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On

GDPR Compliance Checklist

Got customers in Europe?
Your American company may be required by law to comply with GDPR.

Thank You

    How we use your data
    Immediate Access.
    Confidentiality guaranteed.

    GDPR Compliance Checklist

    Got customers in Europe?
    Your American company may be required by law to comply with GDPR.

    Thank You

      How we use your data
      Immediate Access.
      Confidentiality guaranteed.