Following hot on the heels of the other day’s proposed £182m fine for British Airways, the Information Commissioner’s Office (ICO) has served another company, Marriott International, with a fine of £99,200,396 for infringements of the General Data Protection Regulation.
The proposed fine relates to a cyber incident which Marriott notified the ICO of in November 2018. According to the ICO press release a “variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.”
The ICO believe the vulnerability began when the systems of another hotel group, Starwood, were compromised back in 2014. Marriott acquired Starwood in 2016, yet the compromise (i.e. the exposure of customer data) was not discovered by Marriott until 2018. The ICO’s investigation found that Marriott had failed to undertake sufficient due diligence when It acquired Starwood and should also have done more to secure its systems.
Commenting on the intention to fine, the Information Commissioner Elizabeth Denham said: “(t)he GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Learn more about Cyber Security & Compliance here!
If you would like to assess your company’s GDPR risk in a matter of minutes, please click here to start a trial.Get started