HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

ICO Fines Marriott International £18.4 Million for GDPR Violation

The Information Commissioner’s Office (ICO), the data protection authority in the United Kingdom, has imposed a £18.4 million ($23.8 million) financial penalty on Marriott International for violations of the EU’s General Data Protection Regulation (GDPR).

The ICO investigated Marriott over its massive data breach that affected 339 million customers, 30.1 million of whom reside in the EU including 7 million in the UK. The ICO investigators identified multiple security failures and determined Marriott had failed to implement appropriate technical and organizational measures to protect the personal data of EU citizens being processed on its systems, in violation of the GDPR.

The data breach in question affected Starwood Hotels and Resorts Worldwide, which Marriott acquired in 2016. In July 2014, hackers attacked Starwood and installed a web shell on one of its websites which allowed them to access a server and install a remote access Trojan, which gave the attackers persistent access. The attackers were able to explore the network and used Mimikatz tool to steal passwords, then installed malware that allowed them to steal payment card data and personal information. The attackers had full access to the initial compromised device and other devices on the network which the compromised account had access to. The breach was discovered four years later.

The types of data stolen by the attackers varied from individual to individual and may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership numbers.

The financial penalty could have been considerably higher. Under the GDPR, companies found to have violated GDPR provisions can be fined up to €20 million (£18,077,500 / $23,582,460) or 4% of global annual turnover, whichever is greater. In 2019, the ICO announced its intention to fine Marriott £99.2 million ($128.2 million) for the data breach but after considering Marriott’s representations, the speed and thoroughness of its breach response, and the impact COVID-19 has had on the hotel group, the decision was taken to reduce the financial penalty.

The ICO notes that when the breach was discovered, Marriott acted quickly and reported the breach to the appropriate data protection authorities and promptly notified affected customers. Since the breach, Marriott has implemented a range of new measures to improve system security and rapidly detect breaches should they occur. Marriott has issued a statement confirming it will appeal the financial penalty.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.