2 min read

Marriott faces £99.2 million fine after hack exposed 393 million hotel guest records

Graham CLULEY

July 10, 2019

Marriott faces £99.2 million fine after hack exposed 393 million hotel guest records

The UK”s Information Commissioner’s Office (IOC) has announced its intention to fine the US hotel group Marriott International £99.2 million (US $123 million) for a data breach that exposed the personal details of hundreds of millions of guests.

In its initial announcement in November 2018, Marriott said that the hack of its Starwood guest reservation system may have held information about up to 500 million guests – although this figure was later reduced to approximately 383 million guest records.

Information stolen included names, mailing addresses, phone numbers, email addresses, Starwood Preferred Guest (“SPG”) account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. In addition,
millions of encrypted payment card numbers and passport numbers were exposed.

During a subsequent investigation Marriott discovered that there had been unauthorised access to the Starwood network since 2014 (Marriott acquired the Starwood Hotels group in 2016.)

And, of course, some of the data which would have been compromised by the hack would have related to customers who are based in the European Union. And it’s that European connection which means Marriott is facing a heavy penalty under the EU’s General Data Protection Regulation (GDPR).

According to the ICO, around 30 million of the hacked records related to residents of 31 countries in the European Economic Area (EEA), with seven million connected to UK residents.

The ICO says that Marriott “failed to undertake sufficient due diligence” when it bought Starwood and should have done more to secure its systems.

GDPR, which came into force last year, allows for fines of up to 20 million Euros or 4% of a company”s global annual turnover – whichever is higher.

In a statement, Information Commissioner Elizabeth Denham sent a clear warning to other businesses who are careless with the personal data they hold:

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn”t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott is co-operating with the ICO investigation, and has made improvements to its security since the breach was discovered. The hotel chain says it will respond to the proposed fine vigorously, in the hope that it can be reduced.

Earlier this week, the ICO announced that it was intending to fine British Airways £183 million for a breach that compromised the personal data of 500,000 customers last year.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read