The ICO fine Marriott
The Marriott hotel group has been fined by the UK Information Commissioner’s Office (ICO) the sum of £18.4 million for a data breach that happened back in 2014. The amount of the fine that was originally planned was significantly reduced, owing to the COVID-19 situation.
Marriott has been chased by the UK watchdog because of a data breach concerning the Starwood resort chain. The security incident that the hotel group has been fined for allowed malicious actors to enter and operate malware on the Starwood networks using a web shell. The attackers also used tools for remote access and credential collection applications.
This breach allowed criminals to access databases for guest bookings which contained names, email addresses, telephone numbers, number of passports, details about travel and rewards programs.
The compromise lasted over the span of four years until 2018, and during that time, details from nearly 339 million visitors were stolen. Among them, seven million records of UK guests were revealed.
The ICO accuses Marriott hotel chain of not meeting the GDPR security standards due to failure to set up appropriate operational and technical procedures related to data processing and keeps the company responsible for breaching the data protection requirements currently imposed by the 2018 GDPR regulations.
However, the UK watchdog admits that Marriott was able to immediately notify its customers and the ICO and acted rapidly to minimize the possibility of harm to customers as soon as the cybersecurity incident was revealed.
Since the Coronavirus pandemic has forced planned vacations, corporate trips and holidays to be cancelled, the hotel chain has been pressured to eliminate thousands of workers. The company revealed the losses from its first quarter of the year and said that it foresees a cash burn of 85 million dollars per month in 2020.
In relation to the Marriott’s ongoing struggles and the recent changes the company has made to its online security, the ICO has still issued a fine. However, the initially planned fine of over £ 99 million has been significantly reduced to £18.4 million.
The initial fine notice, released in July 2019, for GDPR violations, was fixed at £99,200,396. The ICO claims that the revised fine figure came as a result of the talks with Marriot, improvements in its security and the economic harm done to the company due to COVID-19.
The UK Privacy Commissioner, Elizabeth Denham, commented that millions of people’s data have been impacted by the failure of Marriott; thousands of individuals have called a helpline and some may have had to take precautions to secure their data because the company they have trusted could not do so.
British Airways was also fined £20 million last month by ICO, after computer criminals have managed to steal the details of more than 400,000 customers in a breach dating from 2018.
The airline has been slammed by the UK watchdog due to “unacceptable” security failures contributing to data infringement, such as a lack of cyber security monitoring, inadequate access control and no sufficient implementation of two-factor authentication methods.
The fine that was issued to the British Airways by the ICO is one of the highest to date, but could have been even worse. In relation to BA’s “considerable” changes in security, and the effect of the COVID-19 in the sector, the amount is estimated to £20 million.