Marriott International, inc. received a notice from the Information Commissioner’s Office (ICO) on July 9 saying regulators intend to fine the hotel chain 9,920,396 pounds ($124 million) because of a customer-data breach at its Starwood unit. In November 2018, Marriott’s Starwood reservation database was hacked, resulting in the disclosure of about 339 million guest records worldwide, of which about 30 million were related to residents of 31 countries in the European economic area (EEA).
According to the ICO, Marriott did not do enough due diligence when it bought Starwood in 2016 and should have done more to protect its systems. GDPR clearly stipulates that organizations must be responsible for the personal data they hold. This includes proper due diligence in the conduct of corporate acquisitions and appropriate accountability measures to assess the personal data acquired and how it is protected.
President and CEO Arne Sorenson said in a statement, “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.” He also said, “We deeply regret this incident happened. We take privacy and security of guest information very seriously.”
Marriott said it had been cooperating with the ICO’s investigation and had made improvements to its security protocols since the incident. The chief executive of Marriott said in a statement that Marriott was disappointed by ICO’s notice of intent and would contest it. Marriott is allowed to dispute the fine according to the regulatory process. ICO will consider the representations of the company and other data protection departments before making a final decision. Marriott shares were off after the disclosure.
Published by Emerson L. Sullivan & last updated on July 11, 2019 6:22 am