Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Britain Fines US Hotel Chain Marriott Over Data Breach

Britain’s data privacy watchdog on Friday said it has fined US hotels group Marriott over a data breach affecting millions of customers worldwide.

Britain’s data privacy watchdog on Friday said it has fined US hotels group Marriott over a data breach affecting millions of customers worldwide.

The UK Information Commissioner’s Office said in a statement it fined Marriott £18.4 million ($23.5 million, 20.1 million euros) for breaches of data that included personal information such as passport numbers since March 2018.

That was when new European Union data protection rules, or GDPR, came into effect.

The final penalty is far less than a figure of around £100 million originally planned by the ICO.

The watchdog said it had taken into account “steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty”.

Since the breach occurred before Britain left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.

The ICO said Marriott’s breach in fact dated back to 2014, uncovering client data including passport numbers.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack six years ago on Starwood Hotels and Resorts Worldwide.

Advertisement. Scroll to continue reading.

The ICO said the precise number of people affected remained unclear as there may have been multiple records for an individual guest.

It added that seven million guest records related to people in the UK.

“The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott,” the watchdog said.

“The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number,” it said.

Information Commissioner Elizabeth Denham said businesses are required to look after “precious” personal data belonging to clients.

“Millions of people’s data were affected by Marriott’s failure… When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect,” she said.

Related: Chinese Government Suspected in Marriott Hack: Report

Related: Class Action Lawsuit Filed Against Marriott Over New Data Breach

Related: Data Breach Cost Marriott $28 Million So Far

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.