The ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its hosting and server systems.
In the same week as BA’s mega fine, the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).
The fine relates to the incident in November 2018, when Marriott notified the ICO that personal data in 339 million guest records were exposed, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
What makes this case quite unique is that the data breach did not happen on Marriot’s watch but rather to a ‘Starwood’ 2 years before the business was bought by Marriott.
The systems of the Starwood hotels group were believed to have been compromised in 2014, but was not spotted when Marriott acquired Starwood in 2016, hence the ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
In the words of the Information Commissioner Officer Elizabeth Denham, CBE
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
In the words of Ilias Chantzos, senior director government affairs at Symantec
“Yesterday’s £183 million and today’s £99 million fines have solidified GDPR as a very serious piece of legislation, and one that is putting an organisation’s cyber security challenges and budget into an entirely new context…. It demonstrates the importance of a comprehensive integrated cyber defence to prevent such incidents and to provide not only security, but also auditability and compliance.”