Marriotts International fined a massive £99 million under the GDPR
Marriott International has been fined a massive £99m under the GDPR for data breaches.
After the ICO’s extensive investigation they decided to issue Marriott International a £99,200,396 fine for infringements of the General Data Protection Regulation (GDPR).
The fine relates to a cyber incident brought to the ICO’s attention by Marriott in November of last year as a result of a variety of personal data being exposed, containing approximately 339 million guest records globally. In which around 30 million related to residents of 32 countries in the European Economic Area (EEA) and 7 million related to UK residents.
It has been said that it began with Starwood hotels groups which were compromised in 2014. Marriott acquired Starwood in 2016 and the exposed customer information was only recenly discovered in 2018. When under investigation, the ICO had found that Marriott failed to undertake due diligence when it acquired Starwood to ensure that their systems were secure.
Information Commissioner Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott has cooperated with the ICO investigation and have made improvements to security arrangements. The ICO have taken final action after considering the representations made by other companies and the concerned data protection authorities.