The U.K.’s Information Commissioner’s Office (ICO) imposed £18.4 million ($23.92 million) fine on Marriott International Inc. for violating the GDPR guidelines. The data privacy regulator stated that Marriott has failed to protect the personal data of millions of its customers. Around 339 million guest records worldwide were affected after a cyberattack on Starwood Hotels and Resorts Worldwide Inc. in 2014, remained undetected until September 2018, by when the company had been acquired by Marriott.
In 2014, an unknown attacker installed a malware code in the Starwood systems to obtain access to the contents remotely. With unrestricted access to the infected device, attackers distributed malware to other devices on the network to steal customers’ sensitive information. The exposed information included names, email addresses, unencrypted passport numbers, phone numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.
Related Story: Four Biggest GDPR Fines of 2020
The ICO’s investigation found that Marriott failed to put appropriate security measures to protect its customers’ data being processed on its systems, as per the GDPR.
In July 2019, the ICO issued Marriott with a notice of intent to fine up to £99,200,396 ($123 million) for violating the data breach regulations. However, the regulator decreased the penalty amount considering the economic impact of COVID-19 on their business.
Information Commissioner, Elizabeth Denham said, “Personal data is precious, and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Related Story: Marriott International faces $123 million GDPR fine