UK to slap Marriott with a GDPR fine of $123m

Following the recent news of a GDPR fine against British Airways, there is another penalty on the horizon; the $123m fine against Marriott.

The UK’s ICO has made decision to fine Marriott on the grounds of last year’s cybersecurity breach. In November 2018, it became known that hackers had been able to access their guest reservation database since 2014. Reportedly, they got their hands on the personal data belonging to roughly 383 million hotel guests.

In concrete numbers, this translates to:

– 385,000 credit card numbers

– 5.25 million passport numbers that were not encrypted and 18.5 million that were

– 9.1 million encrypted payment card numbers

– 383 million guest records

Elizabeth Denham, the Information Commissioner, has made it clear that organisations must be held accountable for the way they treat people’s personal data. Protecting it is their legal duty.

Arne Sorenson, President and CEO at Marriott International, disagrees with the proposed fines. When formally filed, he has already announced that Marriott will be contesting them. Despite this, he expressed his regrets in regard to the incident. He also revealed that the company decided to retire the compromised Starwood reservation system last year.

It seems that ICO is on the move with some hefty GDPR-related penalties as of late. Yesterday, they announced that British Airways will be fined £183 million for failing to take the steps necessary to protect their website against hackers. Allegedly, it was infected with a card-skimmer that harvested the customers’ payment details during April and June 2018.