The Information Commissioner’s Office (ICO), the United Kingdom’s data protection authority, has enforced a £18.4 million ($23.8 million) financial fine on Marriott International for violating the EU’s General Data Protection Regulation (GDPR).
The ICO had Marriott investigated because of its huge data breach that impacted 339 million clients, 30.1 million of whom live in the EU which include 7 million in the United Kingdom. The ICO investigators discovered several failures in security and decided that Marriott had neglected the implementation of suitable technical and organizational procedures to secure the personal information of EU citizens that are used on its systems, which violates the GDPR.
The data breach under consideration impacted Starwood Hotels and Resorts Worldwide that Marriott bought in 2016. Hackers attacked Starwood in July 2014 and deployed a web shell on one of its sites. That permitted them to gain access to a server and deploy a remote access Trojan giving the attackers continued access. The attackers exploited the network using the Mimikatz tool and stole the passwords, then deployed malware that permitted them to swipe payment card information and personal data. The attackers got complete access to the preliminary compromised device and other devices on the system which is accessible with the compromised account. The breach was uncovered four years after.
The attackers stole types of information that differed from person to person and might have contained names, email addresses, unencrypted passport numbers, telephone numbers, arrival/departure details, loyalty program membership numbers and hotel guests’ VIP status.
The financial fine might have been substantially greater. As per the GDPR, companies determined to have GDPR violations could get up to €20 million (£18,077,500 / $23,582,460) fines or 4% of global yearly revenues, whichever is higher. In 2019, the ICO showed its intent to issue Marriott a £99.2 million ($128.2 million) penalty for the data breach. However, after looking into Marriott’s representations, its fast and complete breach response, and the effect COVID-19 on the hotels, ICO decided to lower the financial fine.
The ICO states that upon discovery of the breach, Marriott responded immediately and submitted a report to the proper data protection government bodies and quickly advised affected clients. Since the breach occurred, Marriott has put in place a variety of new procedures to enhance system security and quickly identify breaches when they arise. Marriott has given a statement saying that it will make an appeal concerning the financial penalty.