Marriott Hotels Ordered to Pay £18.4M in Fines for Data Breach

Marriott Hotels was ordered by the Information Commissioner’s Office (ICO) to pay a fine amounting to £18.4 million over its 2014 data breach. The fine was heavily reduced from the initial £99 million (approximately $123 million) intended to be levied by the UK watchdog in 2019.

The decision to lower the fine comes as the industry is shackled with the COVID-19 economic disruptions, reports ZD Net. The hotel giant reportedly had to remove thousands of jobs due to the virus pandemic.

The fine stems from a 2014 data breach which impacted the Starwood chain of resorts owned by the hotel giant. It was acquired by Marriott in 2015, but the breach was only discovered sometime in November 2018, reveals Tech Crunch.

Marriott Hotels Ordered to Pay Fines

Malicious actors reportedly gained access to the Starwood systems, planting and executing malware with the help of a web shell. ZD Net states that this breach leveraged remote access tools and credential harvesting software. This resulted in hackers being able to gain access to Starwood’s databases.

Among the personally identifiable information obtained by the threat actors are names, phone numbers, email addresses, unencrypted passport numbers, and guests’ VIP status. Moreover, the guests’ arrival and departure information and loyalty program membership numbers were also compromised.

According to Tech Crunch, approximately 339 million guest records may have been affected by the incident. In an earlier statement, the ICO estimated that only around 30 million customers across Europe have been affected due to some records being duplicated in the system.

While the ICO said Marriott failed to “put appropriate technical or organizational measures in place,” it also recognized the speedy communication and action by the hotel giant.

UK Information Commissioner Elizabeth Denham said of the incident, “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Following the fine levied by the Information Commissioner’s Office, the hotel giant states that it has no intention of appealing the decision of the UK watchdog. In a statement to Tech Crunch, a company spokesperson said that they “deeply regret” the incident.

Furthermore, the representative maintains that “Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following the discovery of the incident to promptly inform and protect the interests of its guests.”