Marriott International fined over £99 million ($123 Millon) under the General Data Protection Regulation (GDPR) for failure to protect customer data.
Information Commissioner’s Office (ICO) issued a fine notice to Marriott for 2018 data breach, in which approximately 339 million guest records were exposed globally.
The fine imposed to Marriott for breaches of data protection law which applies to all companies that collect and process data belonging to the European Union (EU) citizens.
The cyber incident that was targeted to Marriott caused around 30 million related to residents records of 31 countries in the European Economic Area (EEA). Seven million records related to UK residents.
Marriott learned hackers exploit the vulnerability and gained unauthorized access to the Starwood network since 2014, they copied, encrypted information and taken steps to remove it. Marriott International acquired Starwood Hotels & Resorts in the mid-2016.
The investigation done by the Information Commissioner’s Office (ICO) found that Marriott failed to undertake sufficient security measures when it bought Starwood.
According to Information Commissioner Elizabeth Denham said, “The GDPR makes it clear that
Also, ICO warns “personal data is highly valuable and the companies ensure the security to their customers, if its failed, we will not hesitate to take strong action when necessary to protect the rights of the public.”
ICO has investigated this case with the lead supervisory authority on behalf of other EU Member State data protection authorities.
Marriott has completely cooperated with ICO and made adequate security changes soon after they learned this security incident.