- Britain’s data watchdog has discounted the Marriott fine down to about one-fifth of the original.
- The officer justified the decision by mentioning Marriott’s responsible stance, as well as the COVID-19 situation.
- Marriott has blundered again since the 2018 incident and will face another fine for the latest event soon.
UK’s Information Commissioner’s Office (ICO) has published its decision to fine Marriott International £16.95 million (about $22 million) for GDPR and DPA violations that took place between May 25, 2018, and September 17, 2018. The hackers have actually remained in Marriott’s systems between 2014 and 2018, but the ICO only mentions the applicable period against the legal provisions.
Back in July 2019, the ICO decided to fine Marriott for that security incident £99 million ($128 million). The payment of this fine was repeatedly postponed, though, for unclear reasons – and as the time passed, we entered the turbulent 2020. The pandemic has hit Marriott severely, considering it is a hotel chain, so the ICO decided to go a lot more lenient, exactly like they did with British Airways earlier in the month.
However, the fine that was finally imposed on the firm is almost an insult to the people who had their sensitive information exposed for four years. The ICO investigation revealed that the number of affected people is 339 million. The hotel guests had their passport numbers, reservation details, credit card numbers, and more. All of that was valued for £0.05 each, and so the total amount reached roughly one-fifth of the original fine.
The ICO states that Marriott’s stance of willingness to cooperate with the data watchdog’s investigators won them a 20% discount and that the COVID-19 situation alone cut another £4 million. This sounds logical, but we must not overlook Marriott’s recent failure to protect customer data again, even after all that had happened previously.
In April 2020, Marriott announced yet another data breach that took place in January 2020. The hackers used employee credentials to access the sensitive details of 5.2 million hotel guests. ICO is still investigating that incident, so no fines have been decided for it yet. However, it is clear that they have not considered it for their 2018 fine decision.
As for the GDPR effect in the UK, the recent incident took place while the regulation was active, and the country was still a member of the EU. In general, it is expected that the Data Protection Act (DPA) rules will take effect after January 2021.