Marriott to pay £18.4m ICO fine over cyberattack that affected 339 million records

Written by Sam Trendall on 30 October 2020 in News

Penalty is 82% lower than was originally intended

Credit: Kgbo/CC BY-SA 4.0

The Information Commissioner’s Office has fined Hotel chain Marriott International £18.4m over a cyberattack that went undetected for four years and may have compromised as many as 339 million guest records.

It is the second time in the space of two weeks that the regulator has imposed a multimillion-pound penalty, after British Airways was slapped with a record £20m fine earlier this month.

In both cases, however, the punishments were greatly reduced from what was originally intended; in July 2019, the ICO announced that it planned to fine Marriott £99m. 

The £18.4m penalty that has, ultimately, been imposed marks an 82% reduction. 

In BA’s case the intended levy of £183m represented an 89% decrease.

For both companies, the regulator said it had reduced the fines after listening to their representations during the appeal process and considering “the economic impact of Covid-19 on their business”.

Announcing the Marriott penalty, information commissioner Elizabeth Denham said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Related content

The hotel chain said that it would appeal the £18.4m fine – but that it “makes no admission of liability in relation to the decision or the underlying allegations”.

“As the ICO acknowledges, Marriott cooperated fully throughout the investigation,” the company added. “Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

The attack in question was launched in 2014 by an unknown attacker, according to the ICO. The target was Starwood Hotels and Resorts – a company that went on to be acquired by Marriott in 2016.

“[The] attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely,” the regulator said. “This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.

“Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.”

The attack was not detected until September 2018 – four months after the EU General Data Protection Regulation came into effect – and the ICO was notified shortly thereafter. Marriott has estimated that approximately 339 million guest records were impacted by the attack.

The £18.4m fine imposed on the hotel chain is not only much reduced from the originally intended figure, it is also a long way short of the maximum permissible penalty under GDPR and the new UK Data Protection Act. 

Prior to 2018, the maximum penalty available to the ICO was £500,000 across the board. But the new statutes have given the watchdog the power to penalise breaches of data-protection law with fines of about £18m or 4% of the global turnover of the organisation in question – whichever figure is greater.

For Marriott, which turned over $21bn in 2019, this could have meant a penalty of up to £650m.


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Government urged to update product safety standards for internet age
15 May 2023

Parliamentary committee laments pace of progress so far in changing rules

WhatsApp and private email banned for government use at higher security tiers
13 April 2023

Officials are warned that, if they choose to use non-corporate channels, they must 'be prepared to defend your choices'

Data watchdog urges against further FoI exemptions
9 June 2023

Information commissioner warns MPs of risks of absolving agencies of transparency requirements

Home Office preps Plan B to ensure continuity of UK police database
8 June 2023

Department says that work to deliver replacement of 50-year-old system is on track but that it is ‘prudent’ to create a contingency plan

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...