Marriott International has been fined £18.4 million, or about $24 million, for failing to keep millions of customers’ personal data secure.
The group said that it did not intend to appeal the decision but made “no admission of liability in relation to the decision or the underlying allegations.”
The company had been in talks with the Information Commissioner’s Office, which had initially proposed a £99.2m fine for the exposure of 30 million European Economic Area residents’ personal data due to system security shortfalls.
Information Commissioner Elizabeth Denham said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only related to the breach from March 25, 2018, when new rules under the General Data Protection Regulation came into effect.
Because the breach happened before the U.K. left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action were approved by the other EU Data Protection Authorities through the GDPR’s cooperation process.
Neil Baylis, partner at British law firm Mishcon de Reya, told us: “The fine is a lot lower than originally threatened by ICO so relief all round on that. Marriott won't appeal so no risk of embarrassment for the ICO; (ii) the infringement took place before Marriott acquired the business, so harsh to blame Marriott although it is a good lesson in why you should do some careful due diligence on data protection policies when acquiring a business—or seek indemnities in case any historical breach later emerges; (iii) travel and transport industries are high risk given the amount of personal data they deal with and the business structure—ie franchises. Brexit means we may see the U.K. move to its own regime in the coming years, which will just make life even more complicated for businesses operating internationally.”
Marriott International said it “deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognises. The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.
“Marriott wants to reassure guests that the incident and the ICO’s decision involved only [Starwood Hotels & Resorts Worldwide’s] separate network, which is no longer in use.”
The ICO acknowledged that Marriott “acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers and has since instigated a number of measures to improve the security of its systems”.
Marriott International CEO Arne Sorenson told a U.S. Senate committee hearing last March that the company had not been aware of the scale of the data issues at Starwood prior to buying it in 2016, with the source of the breach unknown.
Sorenson told the Senate Permanent Subcommittee on Investigations: “As a company that prides itself on taking care of people, we recognize the gravity of this criminal attack on the Starwood guest reservation database and our responsibility for protecting data concerning our guests. To all of our guests, I sincerely apologize.”
This article originally appeared on Hospitality Insights.