Relating to an incident that Marriott reported in November 2018, which saw approximately 339 million guest records exposed globally, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA) and seven million related to UK residents.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
In the original breach, Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014, where an unauthorized party had copied and encrypted information, and took steps towards removing it. “On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database,” its statement said.
The ICO said that Marriott failed to undertake sufficient due diligence when it bought Starwood, and should also have done more to secure its systems. However, Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light.
In a statement, Marriott International’s President and CEO Arne Sorenson, said that it intended to contest the fine and was “disappointed” with the notice of intent.
Sorensen said: “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
As with yesterday’s announcement of the intention to fine British Airways, Marriott will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
Denham said: “Personal data has real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Justin Coker, VP EMEA at Skybox Security said that a bigger penalty does seem to be sending a message to any firms operating in the UK which are lingering in cybersecurity complacency. “While BA and Marriott have every right to challenge the size of their fines, such a painful levy against such iconic brands should be a landmark catalyst for change and put cyber hygiene and security compliance on every board’s agenda,” he said.
“Whether these companies get their fines adjusted or not, BA and Marriott can use the ICO judgment to take the high ground on knowing the value of proactive cybersecurity and how it can be harnessed to foster customer trust in the long term.”