£100m fine for Marriot Hotel Group – an ICO muscle flex wake up call!

Marriot Group fine

The Marriott hotel group is to be fined around £100m by the Information Commissioner’s Office, after hackers stole records of more than 338 million guests.

This is a huge wake up call for UK executives in all organisations – especially when they realise they were part of the breach!

In November Marriott International, the parent company of hotel chains including Sheraton, Westin, and Le Méridien admitted that personal data including credit card details, passport numbers and dates of birth had been stolen in a colossal global hack of guest records. This is a big deal.

It is the second time in two days the ICO has flexed its muscle to impose huge fines using extensive powers relating to breaches under the General Data Protection Regulation (GDPR). The ICO, which is proposing a £99.2m fine for Marriott, said that about 30 million of the hacked guest records related to residents of 31 countries in the European Economic Area. Seven million related to UK residents.

After an investigation the ICO said the issue appeared to begin when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016, although the theft of customer information was not discovered until last year.

The ICO said Marriott had failed to undertake sufficient due diligence when it acquired Starwood and should have done more to make sure its IT systems were secure.

Marriott said it would appeal against the fine.

ICO muscle flexing – and more to come no doubt!