Marriott International Inc have been fined £18.4m under the DPA 2018 following a widely reported cyber-attack in 2014, on the systems of another hotel that was acquired by Marriott, and that remined undetected until September 2018.
It is thought that 339m customer records worldwide were affected, though some may have been duplicates, and the personal data compromised may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Seven million records related to people in the UK.
The penalty imposed by the ICO, in their role as lead supervisor for the case and as approved by other EU DPAs, only relates to the breach from 25 May 2018, when the GDPR came into effect.
The 91 page enforcement notice sets out the detail the events surrounding the breach and, at section 7, explains the reasoning behind the calculation of the penalty. The Commissioner felt it would be appropriate to fine the company £28m but that was reduced to £22.4m after taking into account various mitigating factors, including Marriot’s prompt response and their investment in new security systems planned even before they were aware of the breach. A further reduction to £18.4m was then applied in the light of the ICO’s Coivd-19 policy: while a fine of £22.4m was unlikely to cause hardship, a further reduction was appropriate and proportionate in the circumstances.