ICO fines Marriott £18.4million for a data breach

The ICO has fined Marriott International Inc £18.4million for failing to keep its customers’ personal data secure.

£99.2million proposed fine 

In July 2019, the ICO issued a notice of intent to fine Marriott £99.2million. The proposed fine concerned a data breach on around 339 million guest records worldwide (around seven million from the UK).  This followed a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc which Marriott acquired in 2016. Marriott did not discover the cyber-attack until 2018. 

The personal data involved included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers.

The ICO considered Marriott should have done more to protect the security of its systems and proposed a £99.2million pound fine. 

Fine reduced to £18.4million due to mitigating circumstances 

After receiving written representations from Marriott, the ICO finalised its fine. It decided to fine Marriott £18.4million, after taking mitigation into account.
 
The ICO acknowledged that Marriott acted promptly to contact both customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers. Marriott also implemented various measures to improve the security of its systems.

The ICO set out its step by step basis for reaching its fine. Interestingly, it reduced the fine from £22.4million to £18.4million as a result of the impact of Covid-19 on the business (in line with its regulatory approach to Covid-19).

Comment

The fine is the second largest issued by the ICO to date (after the £20million fine issued to British Airways in October 2020). As with British Airways, the final fine is significantly lower than the original proposed fine. £18.4m represents far less than 1% of Marriott’s total worldwide global turnover, compared to a maximum possible fine of 4%.

The fine is still worrying, as the breach occurred on a legacy system before Marriot acquired Starwood. However, as the penalty concerns breaches from 25 May 2018 onwards, the ICO did not determine whether Marriott could have conducted further due diligence during the takeover. The ICO notes there may be circumstances where in-depth due diligence of a competitor is not possible during a takeover.