Marriott to face £99 million GDPR fine from ICO over November 2018 data breach

Marriott GDPR fine comes a day after ICO announced its intention to fine BA £183m

Hotel chain Marriott International is facing a £99.2 million fine from the Information Commissioner's Office (ICO) over its November 2018 data breach.

The fine will likely be the second largest so far levied under the new GDPR data privacy regulations - after yesterday's proposed £183 million fine on British Airways.

The ICO announced its ‘intention to fine' this afternoon, with Marriott, like British Airways, able to make representations to the organisation before the final fine will be levied.

The breach revealed in November 2018 involved the leak of 500 million customer records from the guest reservation database of Marriott's Starwood Hotels and Resorts division. The attackers - who are unknown but believed to have links with China's Ministry of State Security - appear to have had access to the system since 2014.

The organisation only became aware of the compromise in September 2018 following an alert from an internal security tool over an attempt to gain access to the reservation system. The company claims that it "quickly engaged" a group of security experts to investigate the apparent attack and "learned during the investigation that there had been unauthorised access to the Starwood network since 2014".

Logs of encrypted communications were uncovered and, when decrypted on 19 November 2018, it was found to contain the contents of the Starwood guest reservation database - 500 million records in total. The compromised customer records included mailing addresses, phone numbers, email addresses, and passport numbers. Payment card details were also found, but these, the organisation claimed, had been encrypted with AES-128 encryption.

The ICO's statement came after Marriott International notified the US Securities and Exchange Commission earlier today.

"We are disappointed with this notice of intent from the ICO, which we will contest," Marriott International CEO Arne Sorenson said in the statement. He continued: "Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously."

The Starwood guest reservation database that was targeted in the attack is no longer used for business operations, the company added.

However, that appears to have cut little ice with the ICO. "The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham.

She continued: "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

The proposed fines against British Airways and Marriott International indicate that the ICO is prepared to take a hard line on security breaches that compromise customer information, and to make full use of the powers available to it under GDPR.

The fines, though, could be higher still, with BA's amounting to 1.5 per cent of its annual turnover - less than the four per cent maximum (or £520 million) that the ICO could propose to fine the company under GDPR. Under the old Data Protection Act 1998, the maximum fine was just £500,000, with a 20 per cent discount for early payment.