Yesterday we heard that BA had been fined by the ICO in the UK for a larger data breach and now the Information Commissioners Office has announced that it intends to fine Marriot International £99 million over a data breach.
The fine is in relation to infringements of the General Data Protection Regulation (GDPR) in the UK and it related to a data breach of 339 guest records from 2018.
Details of the Data Breach
The data breach in question involved unauthorized access to the Starwood guest reservation database, which Marriot acquired in 2016. The breach, which began in 2014, was not discovered until 2018, meaning that the personal information of millions of guests was exposed for a significant period. The compromised data included sensitive information such as names, mailing addresses, phone numbers, email addresses, passport numbers, and even payment card information.
The ICO’s investigation revealed that Marriot had failed to undertake sufficient due diligence when it acquired Starwood and should have done more to secure its systems. This lack of due diligence and inadequate security measures led to the exposure of personal data, which is a clear violation of GDPR.
Information Commissioner Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Implications and Lessons Learned
The fine imposed on Marriot International serves as a stark reminder of the importance of data protection and the severe consequences of failing to comply with GDPR. Organizations must recognize that personal data is a valuable asset and must be treated with the utmost care and security. This incident highlights the need for robust cybersecurity measures and thorough due diligence, especially during mergers and acquisitions.
For businesses, this case underscores the necessity of conducting comprehensive security audits and implementing strong data protection policies. Regular training for employees on data security practices and the importance of safeguarding personal information is also crucial. Additionally, companies should have a clear incident response plan in place to quickly address any data breaches and mitigate potential damage.
The Marriot data breach also emphasizes the role of regulatory bodies like the ICO in enforcing data protection laws and holding organizations accountable. The substantial fine reflects the seriousness of the breach and the need for stringent measures to protect individuals’ personal data.
You can find out more details about the ICO’s plans to fine Marriot International over at their website at the link below.
Source ICO
Latest Geeky Gadgets Deals
Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, Geeky Gadgets may earn an affiliate commission. Learn about our Disclosure Policy.