Marriott facing $178m GDPR fine
Hotel chain Marriott International is facing a £99.2 million ($178.25 million) fine over a massive data breach that exposed around 339 million customer records.
The UK's Information Commissioner's Office (ICO) has issued a notice of intent to issue the fine under the EU's General Data Protection Regulation (GDPR).
Marriott reported the cyber incident to the ICO in November last year, revealing that it believes hackers had compromised the systems of the former Starwood Hotels Group in 2014. Marriott acquired Starwood in 2016 but did not discover the breach until 2018.
An ICO investigation has determined that Marriott failed to undertake sufficient due diligence when acquiring Starwood and to take more action to secure its systems post integration, according to Information Commissioner Elizabeth Denham.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," she said.
"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
Marriott International and other EU data protection authorities will now have an opportunity to comment on the ICO's findings before the final penalty is decided on. Marriott has revealed plans to contest the fine.
Of the 339 million compromised records, around 30 million related to EU member states and 7 million to UK residents in particular.
Marriott has made improvements to its security posture since the breach was discovered, the ICO said. The hotel chain has stopped using the compromised Starwood reservation system altogether as a result of the completion of the company's post-merger integration work.
The ICO announcement came a day after the agency revealed it intends to fine British Airways £183.39 million ($329.5 million) in relation to a data breach affecting the private information of around 500,000 customers. This would be the largest penalty imposed under the GDPR to date.
The US Department of Justice has issued warrants for five alleged members of the APT41 cybercrime...
A survey by Gartner has found that cybersecurity analysts are concerned about the rapidly...
Security and risk leaders have been advised to balance risk, trust and opportunity to help their...