2 min read

Marriott data breach fine slashed to £18.4 million by UK regulator

Graham CLULEY

October 30, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Marriott data breach fine slashed to £18.4 million by UK regulator
  • ICO initially fined Marriott International £99.2 million
  • Fine massively reduced in part due to COVID-19’s impact on hotel industry

Marriott International has been fined £18.4 million (US $23.8 million) for its failure to adequately protect the personal records 339 million guests.

The fine, imposed by UK data regulator, the Information Commissioner”s Office (ICO), is a massive 81% less than the £99.2 million fine originally imposed upon the hotel group last year.

It is now two years since Marriott warned the public that hackers had managed to gain unauthorised access to the Starwood guest reservation database since 2014, exposing guests’ names, mailing addresses, phone numbers, email addresses, Starwood Preferred Guest (“SPG”) account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. In addition,
millions of encrypted payment card numbers and passport numbers were also breached.

The hackers continued to exfiltrate sensitive data from the system after Marriott acquired Starwood in 2016, continuing to steal personal data unnoticed by Marriott until 2018.

At the time, the breach was described as the second-biggest data breach in history.

The ICO determined that Marriott “failed to undertake sufficient due diligence” when it bought Starwood and should have done more to secure its systems from cybercriminals, but has now dramatically reduced the fine it is imposing on the international company.

Why the massive reduction from $99.2 million to £18.4 million? According to the ICO, it has now taken into account steps Marriott has taken to mitigate the effects of the incident and the economic impact COVID-19 has had on the hotel business.

A similar decision was made two weeks ago by the ICO in relation to British Airways, which has had its 2018 data breach fine reduced from £183 million to £20 million, despite a catalogue of errors.

The UK’s Information Commissioner, Elizabeth Denham, said:

“Personal data is precious and businesses have to look after it. Millions of people”s data was affected by Marriott”s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

I certainly can’t disagree with that.

And although I’m sympathetic with those who hold the view that Marriott has dodged something a financial bullet – due to the coincidence that it was being investigated for a massive data breach while the hotel industry was struggling from a global pandemic – I do hope that even this reduced fine will help wake up other companies to the need to always treat data security as a priority.

Maybe other companies also need to more carefully consider the importance of security audits when merge, and not take for granted that it is already secured against hackers.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read