£18.4 million data breach fine for hotel chain

The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4 million for a major global data breach that, it is calculated, may have affected up to 339 million guests.

The Information Commissioner's Office (ICO) said names, contact information and passport details may all have been compromised in a cyber-attack. The breach included seven million guest records for people in the UK. The ICO said the company failed to put appropriate safeguards in place, but recognised that it had since shown improvement.

While the cyber-attack dates back to 2014, the fine only applies to the breach from May 2018 when new GDPR laws came into force. “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data, because the company they trusted it with had not,” said information commissioner Elizabeth Denham.

The first part of the cyber-attack happened in 2014, affecting the Starwood Hotels group, which was acquired by Marriott two years later. But until 2018, when the problem was first noticed, the attacker continued to have access to all affected systems, including names, email addresses, phone numbers and passport numbers. On that basis, the ICO said Marriott had failed to protect personal data as required by the General Data Protection Regulation (GDPR).

“People who hand over their personal information should be able to trust that it will be handled securely. When it isn't, it can cause real distress to the customer – especially if it is sensitive information,” states Chris Harris, EMEA technical director at Thales - pictured. “Clearly, lessons are not being learnt – with this now one of several times the chain has been breached. Other companies should take this as a warning of what can happen, if they don’t put the necessary steps to protect data in place.

“With more people working remotely, using cloud and apps to communicate, the first conversations CSOs should be having with their board is how they can ensure that customers and employees are given access to relevant data, which can be done through robust multi-factor authentication. Following this, the conversation must be around protecting the data at source, and the need to encrypt data and secure it properly through effective key management.

“Through these measures, companies can ensure data is only accessible to those authorised to access it. Until this happens,” cautions Harris, “breaches will continue to happen, customer data left exposed and brands' reputations in tatters.”