ICO lowers Marriott data breach fine to £18.4 million

The regulator had proposed to impose a £99 million fine on the hotel chain last year

The Information Commissioner's Office (ICO) has reduced the fine it had been set to levy on hotel chain Marriott International over the data breach that exposed the personal information of millions of guests worldwide.

In its final penalty notice, the British watchdog announced that Marriott would be required to pay £18.4m, down from the £99 million figure it had originally proposed in July 2019.

"The ICO's investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR)," the ICO said in a statement.

Before setting a final penalty, the ICO considered all steps that Marriott took to mitigate the effects of the security incident and the economic impact of the pandemic on their business.

The ICO recognised that the hotel group promptly notified customers and itself after detecting the security incident, and also initiated a number of measures to improve the security of its computer systems.

In recent months, the hotel chain has been forced to cut thousands of jobs due to the pandemic, and expects a cash burn of $85 million (£65.8 million) a month in 2020.

Marriott disclosed the data breach in November 2018, stating that an unidentified group of attackers accessed the names, addresses, passport numbers and contact details of customers from its Starwood Hotels reservation system.

After infiltrating the reservations system, the hackers executed malware via a web shell, including credential harvesting software and remote access tools.

The breach likely began in July 2014 and continued until September 2018, impacting more than 300 million people globally. Precisely how many people were affected in the data breach is unclear, as there may have been multiple records in the database for an individual guest. Nearly seven million records relating to UK guests were exposed in the incident.

The ICO announced last year that it intended to impose a fine on Marriott under the GDPR. It claimed that Marriott failed to take timely steps to secure its systems after buying Starwood in 2016. Following the ICO's announcement, Marriott said that it would contest the ruling.

In August 2019, a class action-style suit was filed against Marriott International in the High Court of England and Wales over the 2018 data breach.

Martin SFP Bryant, a UK resident, filed the representative legal challenge on behalf of millions of hotel guests domiciled in England & Wales whose private data was exposed in the breach.

In April this year, Marriott disclosed a second data breach, stating that it involved an application Marriott hotels used to provide services to guests.

The company said that the hackers obtained the login credentials of two employees at a franchise property, and then used the access to steal the personal information of up to 5.2 million guests from Marriott's systems.