Marriott Hotels has been issued a fine of £18.4m for a major breach of that leaked the personal information of over 300 million guests, including credit card details.
Back in June of last year, Mariott Hotels suffered an extensive data breach that leaked the personal information of over 300 million guests, including passport details and credit card information for many customers. The breach actually dated back to the company's earlier acquisition of Starwood, which had already been breached by a hacker.
When Mariott acquired Starwood, it didn't carry out the appropriate due dilligence on the company's IT systems and so didn't realise the firm's databases were breached. The attacker continued to have access well into 2018, when GDPR came into effect and the fine for data breaches rose from a £500k slap on the wrist to potentially tens of millions.
RELATED: Marriott International and British Airways facing fines of over £280m- do you take data seriously?
The Information Commissioner's Office investigated the international hotel chain and issued a notice that it would fine the company £99m under GDPR, which provides for fines of up to £20m or 4% of the company's international revenue, whichever is greater. This came at the same time as a major £183m fine to British Airways for a similar cyber-security breach.
This week we heard that British Airways was getting its fine reduced from £183m to just £20m due to the impact of COVID-19 on the air travel industry, a compromise that the company welcomed. Now it's Mariott's turn to have its fine officially issued, and it's also getting off lightly with a reduction in its fine from £99m to £18.4m.
RELATED: British Airways data breach fine reduced dramatically in light of Covid-19
These two fines originally totalled over £280m, and issuing them was a landmark decisions for global enforcement of GDPR. It sent a clear message to major international firms using the data of EU and UK citizens that they will be held accountable for major data breached that harm customers.
While the reduction in fines does dilute this message, the fines are still far above the £500k maximum that older Data Protection legislation allowed. The reduction also comes at a time when both the aviation and the hotel industry are facing enormous financial pressure, as COVID-19 lockdowns continue to reduce travel and tourism worldwide.
Source: BBC News