ICO fines Marriott 18.4 million pounds for failing to secure customer data

Send a link to a friend  Share

[October 30, 2020]  (Reuters) - Britain's data watchdog said on Friday it has fined Marriott International 18.4 million pounds ($23.98 million) in a six-year old cyber attack on its Starwood hotels reservation system in one of the largest data breaches in history.

 

The hack began in 2014, before Marriott offered to buy Starwood Hotels, and affected 339 million guest records.

The Information Commissioner's Office (ICO) said that Marriott failed to put appropriate measures in place to secure customers' personal data from the attack, which was from an unknown source and remained undetected until September 2018.

The regulator added that it traced the cyber attack back to 2014, but the penalty only relates to the breach from March 25, 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.

The fine is much lower than the 99.2 million pounds penalty the data watchdog had proposed to levy on the hotel operator last year.

The company is also facing a London class action by millions of former guests demanding compensation.

"Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations," the hotel chain said.

The personal data may have included names, email addresses, phone numbers and unencrypted passport numbers among other things, the ICO said.

(Reporting by Tanishaa Nadkar in Bengaluru; Editing by Shailesh Kuber)

[© 2020 Thomson Reuters. All rights reserved.]

Copyright 2020 Reuters. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.  Thompson Reuters is solely responsible for this content.

 

 

Back to top