ICO FINES MARRIOTT INTERNATIONAL INC £18.4MILLION FOR FAILING TO KEEP CUSTOMERS’ PERSONAL DATA SECURE

30.10.2020

The United Kingdom Information Commissioner’s Office (“ICO”) has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure.

Attack from unknown sources detected after the company was taken over by Marriott in September 2018. Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc.

The breached information will vary, but may include names, e-mail addresses, phone numbers, unencrypted passport numbers, arrival / departure information, VIP status of the guests and loyalty program membership number.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

You can reach the full text of the Press Release here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr