The Information Commissioner’s Office (ICO) has fined Marriott International Inc £18.4 million for failing to keep millions of customers’ personal data secure.
The hotel chain estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc.
The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
ICO found Marriott failed to put “appropriate technical or organisational measures in place to protect the personal data being processed on its systems”, as required by the General Data Protection Regulation (GDPR).
Elizabeth Denham, Information Commissioner, said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”
Kate Bevan, editor of Which? Computing, commented: “It’s positive to see the Information Commissioner’s Office showing its teeth and sending a clear message to companies that it is unacceptable to play fast and loose with people’s personal data.
“However, our research earlier this year suggested that Marriott had not learned lessons from previous data breaches and still had serious vulnerabilities on its websites that could leave customers exposed to opportunistic cybercriminals.
“The government should provide a much clearer route to this by allowing for an opt-out collective redress regime that deals with mass data breaches.
“Any consumers worried that they could have been affected by a data breach should change online passwords that might have been compromised and, where possible, enable two-factor authentication. They should also monitor bank and other online accounts as well as their credit report to guard against potential identity fraud.”