Marriott Hotels chain has been fined £18.4m by the data privacy watchdog of the United Kingdom for a major data breach in which data of up to 339 million guests could have been compromised.
The cyber attack could have resulted in names, contact information, and passport details of millions of guests being stolen or mishandled, said the Information Commissioner’s Office (ICO).
Seven million guest records for people in the UK was part of the breach.
The hotel chain had not been able to put in place appropriate safeguards, the ICO said, but also acknowledged that the company had made some improvements in data safety.
The Starwood Hotels group, which was later acquired Marriot, was the first hotel chain of the company to have been affected by the first data breach that happened in 2014.
But the cyber attacker continued to have access to all affected systems until the breach as first discovered or noticed by the company in 2018. The attacker had gained access to systems that also contained information about phone numbers, passport numbers, arrival and departure information, VIP status and loyalty programme numbers, among others.
That formed the basis of the ICO claiming that Marriot had been unable to protect personal data according to the requirements under the General Data Protection Regulation (GDPR).
Some analysts however have said that Marriot perhaps never knew or had no way of knowing that Starwood’s servers were being regularly hacked prior to taking over the company in 2016. It had been years that the cyber-criminals had been in the systems and Marriot potentially never had a clue about it even when it was acquiring Starwood.
The report from the ICO also makes it clear that cyber security of Starwood’s IT systems was beefed up by Marriott far too late and till then, there was free reign for the hackers to move around and decamping with the best data sets that they believed would s4ll best in the criminal market.
Compared to the initial plans of the ICO to impose a fine of £99m, the ultimate fine imposed on Marriot appears tiny. But it is still a deterrent for other companies ot b mor4 serious about data security, say analysts.
“Millions of people’s data was affected by Marriott’s failure,” ICO commissioner Elizabeth Denham said.
“Thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”
The company “deeply regrets the incident” Marriott said in a statement.
“Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests,” it said.
(Adapted from BBC.com)