£18.4 million fine for Marriott

Following just a week after the £20 million fine for British Airways, the ICO has announced a fine of £18.4 million for Marriott International Inc, for failing to keep millions of customers’ personal data secure.

This case goes back a long way, to a cyberattack in 2014 on Starwood Hotels and Resorts Worldwide Inc, where an estimated 339 million guest records were affected; the details included name, address, email address, phone number, unencrypted passport numbers, booking details and VIP status.

The cyberattack remained undetected until September 2018, by which time the company had been acquired by Marriott.

The ICO led on this investigation, on behalf of all the EU countries affected. In the words of the Information Commissioner, Elizabeth Denham:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”