The ICO isn’t done yet.
Just a day after it announced its intent to fine British Airways $229 million for violating the General Data Protection Regulation last fall, the U.K.’s Information Commissioner’s Office confirmed this week that it plans to hand down yet another multimillion dollar fine.
The ICO, the U.K.'s data protection authority, said Tuesday it plans to fine the hotel chain Marriott International Inc. $123 million for an incident in which the company violated GDPR last year.
The violation stems from a from the incident that Marriott disclosed in November 2018 involving the compromise of 339 million guest records, 30 million of which the ICO claims were residents of 31 countries covered by the European Economic Area.
The breach, which affected Starwood Hotels group's guest reservation database, began in 2014 but wasn't discovered until last year, after Marriott’s acquisition of Starwood Hotels & Resorts Worldwide, Inc., a purchase that made it the world’s biggest hotel chain.
The ICO says that Marriott should have done more to secure Starwood's systems when it purchased the company.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," Information Commissioner Elizabeth Denham said Tuesday.
At the time Marriott said it believed the breach could have impacted up to 500 million guests. The actual number of those affected is less than that according to the ICO, whose investigation revealed that 339 million guests may have had their data exposed.
To recap, Marriott first realized something was awry with the Starwood guest reservation database on September 8, 2018 when it received an alert from an internal security tool that it was being accessed. While this was troubling, more concerning was the eventual realization that an unauthorized party had had access to the database since 2014 - and had copied and encrypted some of it.
According to Marriott, compromised data included a combination of guest names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information; some guests had their payment card number and expiry dates stolen as well.
The hotel chain warned at the time that anyone who made a reservation at a Starwood property, including W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and Le Méridien Hotels & Resorts, on or before September 10, 2018 could be affected.
The ICO released a statement on Tuesday to corroborate a report that Marriott filed with the Securities and Exchange Commission (SEC) on Tuesday.
In it, Marriott's President and CEO Arne Sorenson expressed disappointment with the fine.
“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database," Sorenson said, “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
According to the SEC filing, Marriott no longer uses the database for business operations.
Like yesterday’s fine of British Airways, the ICO’s fine of Marriott translates to a sizeable chunk of the hotel chain’s annual revenue. The fine, £99,200,396 or $123,634,941 USD, is roughly 2.4 percent of its total revenue.
Under GDPR, data protection authorities can fine offenders up to 20 million Euros or as much as four percent of a company's annual sales.
As is the case with all fines lodged by the ICO, Marriott has the right to respond - something the company claims it will do "vigorously" - before the fine is formally issued.
