- ICO strikes Marriott for the 2018 customer breach, imposing a fine of $123 million USD.
- Marriott has failed to protect the client information of one of its subsidiaries between 2014 and 2018.
- The breach was allegedly the work on Chinese state-sponsored hackers, but that was never officially admitted.
The UK Information Commissioner’s Office (ICO) has published its intention to fine Marriott International with the amount of $123 million (£99 million), following last December’s breach that exposed 500 million of the hotel mogul’s customers. This announcement comes only a day after the $230 million fine that concerns the British Airways breach, so ICO is decisively dealing with last year’s security incidents that concern violations of the GDPR (General Data Protection Regulation).
The vast data breach that Marriott suffered between 2014 and 2018 affected 500 million customers of the Starwood chain, who are a subsidiary of Marriott. Anyone who has made a reservation at Starwood through their online platform has been compromised, and the list includes many high-profile British individuals working in the army, the government, and other key agencies. The breach was made with the intention of intelligence gathering, as the stolen information was not made available for sale on darknet forums. New York times quickly discovered that Marriott’s internal investigation findings pointed to Chinese hackers, possibly backed by the Chinese Ministry of State Security.
ICO deduced that Marriott failed to secure Starwood when they acquired the brand, so they essentially ignored the main GDPR requirement. As ICO’s Elizabeth Denham stated: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The personal details that had been leaked because of this incident include guest names, email addresses, phone numbers, passport numbers, date of birth, credit card and payment data, and Starwood guest account information. When Marriott discovered who was behind the attacks, they asked for a $12.5 billion in compensation, corresponding to $25 per each compromised customer. Chinese officials never took responsibility for the incident, so no payment was ever approved and given to Marriott. While an entity like Marriott won’t be brought down to its knees by ICO’s fine, the case that is being made here is that companies cannot ignore GDPR anymore, and really have to start investing more in the security and protection of their customers’ data.