The Information Commissioner’s Office says it is issuing Marriott International a £99 million fine, for a huge date breach in 2014.
The data breach led the personal and financial details of some 339 million guests being stolen by cyber-criminals. The breach happened in 2014, but Marriott only discovered it in 2018. Marriott said 339 million guests had their information exposed, this included their names, phone numbers, dates of birth, phone numbers, passport numbers and arrival and departure information. Some guests had their credit card numbers and card expiration dates exposed. CEO Arne Sorenson said in a statement: “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The fine relates to Marriott’s European customers of which 30 million were affected. The ICO said Marriott had failed to properly review data practices and should have done more to secure its systems. Elizabeth Denham of the ICO said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Marriott International’s president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
What is a data Breach?
A data breach occurs when sensitive and confidential information is accessed by a third party who is not authorised to do so. This data can include things such as passwords, credit card numbers, health records or addresses. The most common ways hackers gain access to a system, is by guessing a password or by installing malware. Data breaches can range in size, from a single individual accessing a file, to millions of company records being stolen. How someone is affected by a data breach depends on the information that is accessed and released. The best way to protect your data is to change your password regularly and not store sensitive information on your computer.