Marriott hotel chain risks a fine of 110 million euros for data leak

The British Information Commissioners Office (ICO) has announced its intention to fine the hotel chain Marriott International GBP 99,2 million (approximately EUR 110 million) for a data breach in November last year.

The hack was not a one-off incident, but had been running since 2014, writes Silicon Angle. It started with the Starwood Hotels group, two years before this chain was taken over by Marriott.

Over a period of four years, customer data from some 339 million individual customers was stolen. These included names, e-mail addresses, home addresses, passport numbers and telephone numbers.

The theft was only discovered at the end of 2018, about two years after Marriott had taken over Starwood. The ICO now claims that Marriott did too little research when it bought Starwood, and that it should have done more to secure its systems.

GDPR

The vast majority of the data leak took place before the European privacy legislation GDPR came into force. However, the hack was only discovered after its introduction, which means that these rules are applied.

The GDPR makes it clear that organisations are liable for the personal data they collect, according to Information Commissioner Elizabeth Denham. This also includes doing proper research on a business acquisition, and deploying measures to determine what data has been collected and how it has been protected.

Marriott has already announced an appeal against the fine. CEO and President Arne Sorenson is disappointed with the announced intentions of the ICO.

Perpetrator

We don’t know who’s behind the hack on Marriott. In December, however, a report suggested that this might be China. It seems that the attack was designed to gather information for espionage by China, not for financial gain.