UK’s Information Commissioner’s Office Issues a Final Fine Against Marriott

On October 30, 2020, UK’s Information Commissioner’s Office (ICO) issued a £18.4 million fine against Marriott International Inc.  The fine stems from the November 2018 disclosure that personal data contained in approximately 339 million guest records globally were exposed as a result of a breach into the Starwood hotels system in 2014.  Marriott acquired Starwood in 2016, but the exposure of customer information was not discovered until two years later.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership numbers.  Although the precise number of affected users is unclear as there may have been multiple records for an individual guest, an earlier ICO estimate put the number at around 30 million.

The investigation by the ICO revealed that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.  Although the investigation traced the cyber-attack back to 2014, the penalty only relates to the breach from May of 2018, when the GDPR came into effect.

Because the breach happened before the United Kingdom left the European Union, the ICO investigated it on behalf of all EU Data Protection Authorities as the lead supervisory authority under the GDPR. The penalty has been approved by the other EU Authorities through the GDPR’s cooperation process.

In July of 2019, the ICO proposed a £99 million fine against Marriott in connection with the same breach.  According to the ICO, the final reduced penalty reflects the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on the company’s business.

Even though the fine imposed on Marriott is significantly less than what the ICO originally proposed, it is still one the biggest fines issued by the ICO (the biggest one being a £20 million fine against British Airways issued earlier this month).  Furthermore, the penalty underscores the importance of due diligence in evaluating privacy requirements and cybersecurity controls during the merger and acquisition process.  Companies that ignore these obligations are bound to pay the price in the form of regulatory fines, litigations, and diminished reputation with privacy-conscious consumers.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653