UK watchdog fines Marriott £18.4m over customer data breach

The Information Commissioner’s Office (ICO) has come forward with a new fine for Marriott pertaining to a 2014 data breach.

The original penalty was over £99m, but it was reduced due to the ongoing pandemic disruption.

When the attacks were taking place, the perpetrators were able to infiltrate Starwood systems by using malware executed via a web shell.

The attack included the use of credential harvesting software and remote access tools.

Upon breaching the systems, the attackers were able to access databases containing the following guest reservation data:

  • Names
  • Email addresses
  • Phone numbers
  • Passport numbers
  • Loyalty programme information
  • Travel details

These were ongoing attacks that took place over a period of four years.

It is estimated that personal information belonging to 339 million guests was stolen.

Out of this, 7m records belonging to UK citizens were exposed.

The ICO assessed that Marriott failed to meet the security standards outlined by GDPR and failed to prevent the attacks by putting the necessary technical and organisational measures in place when processing data.

According to the ICO, Marriott did act promptly and contacted the customers and reported the incident upon learning of it.

In addition, Marriott was quick in its attempts to mitigate the damage.

In light of the company’s struggles amid the ongoing pandemic, the ICO decided to lower the initial £99.2m fine to £18.4m.

Marriott has had to make thousands of job cuts as travel plans were cancelled due to the pandemic.

The final fine for GDPR violations was also impacted by the company’s recent security improvements.

Last month, the ICO issued another fine of £20m to British Airways for failing to protect personal information belonging to over 400,000 customers in a breach that occurred in 2018.

The airline was deemed to be guilty of unacceptable security failures pertaining to little use of two-factor authentication (2FA), lax access controls, and a lack of cyber security audits.