Britain’s data controller – the Information Commissioner’s Office (ICO) – announced its notice of intent to impose the fine for a data breach which compromised the details of 339 million hotel guests. It is believed the incident happened in 2014, but only came to light four years later.
The size of the penalty and its international nature has underlined the greatly increased regulatory powers of the ICO under the European General Data Protection Regulations (GDPR) which came into force last year.
Mike Wills, Director of Data Services at CSS Assure: “For the last several months the ICO has been signalling to the market that any misconception that they will not impose fines for violations of GDPR will be swiftly clarified” “Not only will those businesses found to be in violation of GDPR after the compliance deadline be penalised, but those found to have experienced breaches in the past who did not report said events could be liable as well”
The Marriott data was compromised by the guest reservation system of the Starwood Hotel Group which was taken over by its American rival three years ago. The system has since been phased out. Disclosing the breach, Marriott said the Starwood system had been hacked and personal details of around 339 million guests from around the world had been accessed. It is understood that around 30 million records related to residents of 31 European countries, seven million of them being UK residents. More than five million unencrypted passport numbers were included in the breach.
Due Diligence Failure
Information Commissioner Elizabeth Denham said that Marriott had failed to properly review the data practices of the firm it took over and should have done more to secure its systems. She further commented: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.” “This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
But Marriott have made it clear they intend to appeal the ICO’s notice of intent to levy the fine.
Company president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Charlotte Riley, Director of Information Security at CSS Assure commented: “GDPR has been a real game changer in data protection. The penalties for getting it wrong can be very expensive indeed and a massive hit to the finances of any firm found to be in breach. The maximum penalty is €20 million or up to 4% of the firm’s annual turnover.” “Companies which haven’t already done so should start an urgent audit of their data security measures and taking action immediately if they uncover any problems. CSS Assure can help with that.” “We offer ‘best in class’ advice to help our clients to keep their organisation’s secure. Our processes are designed to help you understand what needs to be done to comply with their requirements and how to achieve it in simple, clear, and practical language. If you think we can help please call us on 03333 050 613.”