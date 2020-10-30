Infosecurity Group Websites
Latest
News

Marriott Fined £18.4m Over Data Breach

The Information Commissioner's Office (ICO) has fined hotel chain Marriott International £18.4m over a data breach that exposed the information of millions of guests worldwide. 

The UK's independent body set up to uphold information rights imposed the financial penalty on Marriott for "failing to keep millions of customers' personal data secure."

In November 2018, Marriott reported a data breach that saw an estimated 339 million guest records exposed globally, of which around seven million related to UK residents. An investigation into the incident revealed that an unauthorized party had been accessing the network of Starwood Hotels and Resorts Worldwide Inc. since 2014, copying and encrypting information.

The attack remained undetected until September 2018, by which time Starwood had been acquired by Marriott. 

The personal data involved in the breach differed between individuals, but the ICO said that it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.

An investigation into the incident by the ICO found that Marriott "failed to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR)."

However, the ICO recognized that Marriott was swift to act once the breach had been discovered, contacting customers and the ICO promptly. 

"It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems," said the commissioner's office.

In July last year, the ICO announced an intention to fine Marriott £99m over the data breach for “infringements of the GDPR.”

In a statement released yesterday, the ICO said: "As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty."

Although the breach dates back to 2014, the GDPR regulations only came into effect in May 2018, two years before the UK left the European Union.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Furniture Giant Steelcase Hit by Suspected Ransomware Attack

2
News

Red Alert as US Hospitals Are Flooded with Ryuk Ransomware

3
News

Experian Threatened With Massive GDPR Fine After Acting Unlawfully

4
News

Education Sector Facing Disproportionate Level of Spear-Phishing Attacks

5
News

Isentia Reeling After Suspected Ransomware Attack

6
News

Taiwanese Company Admits Stealing US Trade Secrets

1
News

Marriott Fined £18.4m Over Data Breach

2
News

US Sanctions Russian Institute Linked to TRITON

3
News

Montreal Metro Hacker Demands $2.8m Ransom

4
Opinion

The Threat From Within – A Genuine Horror Story

5
Interview

Interview: Matt Drake, Director, Cyber Intelligence, SAIC

6
News

ICO Slaps £250,000 Fine on Another Nuisance Call Company

1
Webinar

Ransomware Defense with Micro-Segmentation: from Strategy to Execution

2
Webinar

Extended Threat Detection and Response: Critical Steps and a Critical System

3
Webinar

Achieving Compliance with the Cybersecurity Maturity Model Certification (CMMC)

4
Webinar

Web App and Portal Protection: Managing File Upload Security Threats

5
Webinar

Behind the Scenes of a Live DDoS and BOT Attack: Launch and Mitigation

6
Webinar

Security in the Cloud - Emerging Threats & the Future

1
Interview

Interview: Co-Founders, Cyber House Party

2
Blog

Supply Chain Cybersecurity: What You Need to Consider

3
Podcast

IntoSecurity Podcast #NCSAM Special Edition

4
Webinar

Extended Threat Detection and Response: Critical Steps and a Critical System

5
Opinion

Why Cybersecurity Alliances Are a 21st Century Necessity

6
Next-Gen

Interview: Jenny Potts