Britain’s privacy watchdog has announced a suggested fine of £99 million under the EU’s General Data Protection Regulation (GDPR) against hotel giant Marriott for its failure to more rapidly detect and remediate a data breach that persisted for four years.
Over that period, the data breach exposed approximately 339 million customer records globally, of which about 30 million related to residents of 31 countries in the European Economic Area and 7 million to U.K. residents, Britain’s Information Commissioner’s Office said on Tuesday. The ICO enforces the country’s data protection laws, including GDPR.
The previewed GDPR fine was first revealed on Tuesday when Marriott International said in a filing with the U.S. Securities and Exchange Commission (SEC) that “the U.K. Information Commissioner’s Office (ICO) has communicated its intent to issue a fine in the amount of £99,200,396 against the company in relation to the Starwood guest reservation database incident that Marriott announced on November 30, 2018.”
Marriott said the long-running breach exposed such information as names, mailing addresses, phone numbers, email addresses, passport numbers, and, in some cases, encrypted payment card information. The breach appears to have begun with a 2014 network hack of Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016 for $13 billion.
Marriott says it has been assisting the ICO with its investigation and has overhauled aspects of its security program since discovering the breach.
Data protection failure
The ICO says Marriott’s security practices and procedures failed to protect personal information. “The GDPR makes it clear that organisations must be accountable for the personal data they hold,” says U.K. Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Under GDPR, EU data protection authorities, including the U.K.’s ICO, can fine organisations up to 4% of their annual global revenue or £17.9 million – whichever is greater – if they violate Europeans’ privacy rights, for example, by failing to secure their personal data. Separately, organisations that fail to comply with GDPR’s reporting requirements also face fines of up to £9 million or 2% of annual global revenue. Regulators can also withdraw an organisation’s ability to process Europeans’ personal data.
The proposed fine against Marriott is equivalent to just 0.006% of the hotel chain’s 2017 revenue.
Marriott plans to contest fine
Marriott has the right to respond to the proposed fine before the ICO makes its final determination. In a statement, Marriott says it “intends to respond and vigorously defend its position.”
“We are disappointed with this notice of intent from the ICO, which we will contest,” says Arne Sorenson, president and CEO of Marriott. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Marriott said in a prior SEC filing that it had taken out a cyber insurance policy prior to the breach being discovered.
The ICO has been the lead European supervisory authority probing the Marriott breach on behalf of other EU member states. Under the “one stop shop” provisions of GDPR, the hotel chain will face only a single EU fine. But besides Marriott, data protection authorities in other European countries where residents were affected by the breach will also be allowed to weigh in on the fine proposed by the ICO before it gets finalised.
Multiple U.S. state attorneys general are also probing the Marriott breach.
Breached system retired
Marriott reported that as of December 31, 2018, Starwood-branded hotels are no longer using the Starwood reservation system that had been breached. “With the completion of the reservation systems conversion undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system,” the company said earlier this year.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
The Marriott announcement came just a day after the regulator said it is planning to fine flagship carrier British Airways a record-setting £184 million for security failures that helped precipitate two breaches last year – one in June, the other in October.
The proposed BA and Marriott fines are the first major data breach fines to be announced since GDPR went into full effect on May 25, 2018.