UK privacy authority fines hotel chain of 20.5 million euros for data breach

The British Information Commissioner’s Office fines hotel chain Marriott of £ 18.4 million, equivalent to EUR 20.5 million. Marriott had not done enough to secure a system when it had a massive data breach, according to the ICO.

After an investigation, the British privacy authority comes to the conclusion that Marriott had not taken the correct technical and organizational measures to adequately protect customers’ data, as required by the European General Data Protection Regulation. At the time of the discovery of the data breach, in 2018, the UK was still part of the EU, so the GDPR applied.

Data from 339 million customer accounts was disclosed in 2018 in an attack on Marriott’s Starwood Hotels and Resorts Worldwide Inc, including unencrypted passport data. The ICO describes that the attackers installed a web shell on a device in the Starwood reservation system and could remotely get a remote access trojan and other malware into the network via this route. In this way they were able to obtain login data from other accounts, open databases with customer information and divert this data.

According to the ICO, Marriott should have done more to secure the affected reservation system. The attack already took place in 2014. Marriott took over Starwood in 2016 and the data breach was discovered in 2018. Marriott argued, among other things, that the chain wanted to replace the reservation system in early 2018 because of indications that this would be unsafe. The ICO notes that this would have been a year and a half after the acquisition, which the authority calls a long period of data processing, and that the final replacement did not take place until the end of 2018.