Marriott is fined £18.4m for massive data breach

Perhaps ICO fines are like buses. You wait ages for one (and so on).

Today (30 October 2020) sees the second long delayed significant fine imposed by the ICO in the wake of a large scale cyberattack (with attendant personal data breach). As with the fine levied on British Airways on 16 October 2020, the fine faced by (Marriott) is significantly less than the original figure suggested in July 2019 when the ICO announced its intention to fine the hotel chain. Back then it was £99m – today it is £18.4m.

Today’s announcement by the ICO stems from a cyber-attack in 2014 on the Starwood chain of hotels. The attack was only discovered in September 2018, by which time, Marriott, had acquired Starwood. Marriott estimated that 339 million guest records were affected globally as a result of the attack, 7 million of which were of UK data subjects.

Like the BA Penalty Notice, the Marriott one is long and detailed, and, once UpData has spent the weekend reading it, we will report in more detail. In the meantime, the ICO found that Marriott failed to process personal data in a manner that ensured appropriate security of that data, using appropriate technical and organisational measures, as required by Article 5(1)(f) and Article 32 GDPR. The drop from the intended fine of £99m to today’s more modest (relatively speaking) amount appears to be down to a combination of significant mitigating measures Marriott put in place following the cyberattack (this despite Marriott experiencing a subsequent data breach event in March 2020), and application of the ICO’s "COVID-19 policy").