The Marriott hotel group has received a massive fine of £18.4m from UK data regulator, the Information Commissioner’s Office (ICO), over a data breach that took place in 2014.

The final fine served by the data regulator is greatly reduced from the £99m initially planned, taking into account the financial losses suffered by the company during the COVID-19 outbreak, which has hit the hospitality industry hard this year.

Starwood systems infiltrated

In 2014, Marriott was struck by a hacker attack that affected its chain of resorts known as Starwood, resulting in a data leak of customer information. Activating malware through a web shell and employing a combination of software designed to collect credentials and tools for remote access, the cybercriminals were able to penetrate the Starwood’s systems.

Once access was obtained, the threat operators were able to view databases storing reservation details of guests, which included names, phone and passport numbers, travel itineraries, email addresses and information stored regarding their loyalty programme with the chain.

Unnoticed, the compromised system continued to be exploited over four years until 2018. During this time, a total of seven million data records belonging to UK hotel guests were exposed and data from 339 million people was stolen.

The fine issued by the ICO was dictated based on the hotel group failing to answer the GDPR security standards required, with neither organisational nor technical security measures in position during the process of personal data. The ICO judged the firm to have acted in breach of the 2018 GDPR laws and held them accountable.

UK Information Commissioner, Elizabeth Denham, commented

“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

However, the ICO did recognise the hotel group’s fast reaction to the event, commenting that once it identified the leak, Marriott worked quickly to contact all guests impacted by the breach and took action to swiftly mitigate both damage and risk to its customers.

Reduced fines in the wake of COVID-19

Like many other hotel chains, including Hilton, the Marriott group has reportedly been negatively impacted by the coronavirus pandemic that has forced many potential guests to cancel vacations, tours, business trips and other travel plans. Marriott has recorded the first quarterly loss it has experienced in almost a decade and estimates an $85m cash burn per month throughout this year.

In appreciation of its present economic difficulties, and considering its recent upgrades in data security, the ICO has drastically reduced the original penalty proposed. Organisations and institutions have an obligation to safeguard any personal data, via encryption and other security measures, that they store or use on data subjects in their role as data collector.