News & Blog

ICO Strikes Marriott with £18.4 million GDPR penalty

The U.K’s ICO has reduced the size of a data breach penalty for hotel business Marriott from £99 million to £18.4 million.

The U.K’s ICO has reduced the size of a data breach penalty for hotel business Marriott from £99 million to £18.4 million. The ICO has fined the Marriott hotel group for failing to keep millions of customers personal data secure. The ICO’s investigations found that there were failures by Marriott to put appropriate measures in place to protect the personal data being kept and processed on its systems as required by the General Data Protection Regulation (GDPR)

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Elizabeth Denham, Information Commissioner

What was exposed?

The precise number of people affected is unclear. It is thought to have exposed 339 million records over the EU however this may contain duplicated users. The Marriott fine relates back to a data breach suffered by the hotel group in 2014, (involving a network of Starwood hotels that Marriott acquired in 2015) The data breach wasn’t discovered or reported until 2018. The personal data exposed between 2014 and November 2018 differed between individuals but the ICO has said that it may have included names, email addresses phone numbers, unencrypted passport numbers, arrival/departure information, guests VIP status and loyalty membership numbers. (The penalty only covers the portion of the breach that dates from 25 May 2018 — when the GDPR came into effect.)

Why was the ICO fine reduced?

An interesting development here is the 81% reduction in the initial £99 million fine that the ICO said it would levy. (This is one of the largest fines levied under GDPR). It shadows a very comparable case with ICO and the British Airways data breach. Where in July 2019 the watchdog levies a fine of £183.39 million ($230 million) to the airliner for a 2018 data breach that affected approximately 500,000 customers, in October just passed the ICO issued a final penalty to British Airways of just £20 million ($25.8 million).

So why the dramatic reduction in the ICO’s fine for the Marriott? In both cases, it seems that the ongoing pandemic has played a part in explaining why the ICO has reduced the size of fines. In recent months, the hotel chain has been forced to cut thousands of jobs due to the pandemic and expects a cash burn of $85 million (£65.8 million) a month in 2020. Although the pandemic may have played a part the ICO also acknowledges that they Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by its customers and has since made vast improvements to the hotel group cybersecurity.

The risks and consequences of inadequate data management

The changing landscape of compliance regulations worldwide means companies must ensure they have good data protection practices in place. Loss, delays, non-response, or bad practices can lead to reputational damage, which often far more costly than fines. Email and File Archiving, eDiscovery, and compliance have become a key requirement for businesses. In the digital age, companies are responsible for ever-increasing amounts of data including their customers’ and employees’ data. Organisations need to know what personal data is lurking in the email and file data.

Learn more about how Waterford Technologies can give your organisation better insight and control of there email and file data. We provide an independent archive for your email and file data that can help simplify data management and discovery, while also meeting complex compliance requirements.