Following on from the recent massive fine of £183 million for British Airways, Marriott have found themselves on the end of a hefty fine totaling £99 million after their previous data breach in 2018. The data breach in 2018 exposed approximately 339 million Marriott guest records and details.
It was brought to light in November 2018 where a third-party hacker had gained access to its Starwood guest reservation system and database via an unpatched vulnerability in the system that had been there since 2014.
30 million of the 339 million records assessed were found to have related to residents across 31 countries in the EU with 7 million of the records belonging to UK Citizens. Marriott (who bought the Starwood brand in 2016) were deemed by the ICO to have “failed to undertake sufficient due diligence” during the acquisition and missed the vulnerability due to this. This was deemed as a violation of GDPR resulting in the £99 million fine recently issued.
Despite the size of the fine, the ICO (Information Commissioner’s Office) has stated that Marriott has co-operated with the investigation eventually making improvements to its security protocols since the breach was discovered. This will allow Marriott to now have an opportunity to make representations to the ICO as to the proposed findings and sanctions.
'The GDPR makes it clear that organisations must be accountable for the personal data they hold,' said Information Commissioner Elizabeth Denham. 'This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
'Personal data has real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public.'
This will no doubt result in an ongoing trend as there becomes a stricter look on GDPR, company's cyber security and their use of customer data. Make sure you and your company are GDPR ready and Cyber Security secure to ensure you are not the next company in a growing list of those being issued with heavy fine.
If you want to take additional measures to protect your business from potential cyber attacks or data breaches, then why not get your business Cyber Security Certified with Advantage by getting in touch with our team of IT experts today.
Want to be kept up to date on any potential data breaches? Then why not sign up to our mailing list to get these delivered straight to your inbox?