Marriott Fined $23.9 Million by Regulator Over Cyber-Attack (1)

Oct. 30, 2020, 1:13 PM

Marriott International Inc. was fined 18.4 million pounds ($23.9 million) by the U.K. privacy regulator for failing to protect the data of millions of customers during a hacking attack on reservation databases.

The penalty by the Information Commissioner’s Office Friday is a fraction of the 99 million pound-fine the watchdog had planned to issue last year. Marriott estimates some 339 million guest records were exposed during a cyber-attack in 2014, that remained undetected until 2018. About seven million British guests were affected, the ICO said.

“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” the regulator’s head Elizabeth Denham said in a statement.

Slashed Penalties

The penalty is the second this month that the regulator had drastically slashed following push back from the companies. The ICO fined British Airways 20 million pounds over a data breach after initially proposing a record 183.4 million-pound fine.

The ICO said it reconsidered its decision in light of steps taken by Marriott “to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty.”

Marriott said in a statement that it deeply regretted the incident. “The ICO recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests,” the U.S.-based company said.

“As with the BA fine, this was a long time coming,” said Ann Bevitt, a partner at law firm Cooley in London. “Although the number of affected individuals and four-month duration of the attack were seen as aggravating factors, the ICO identified a number of mitigating factors,” such as Marriott’s cooperation with the watchdog.

‘Pandemic Pragmatism’

“Whether a second significantly reduced fine will be welcomed as another example of pandemic pragmatism and encourage organizations to be less robust with their adherence to the GDPR remains to be seen,” she said.

The hack took place in 2014 and targeted the database of Starwood Hotels & Resorts but remained unknown until four years later, by which time the company had been acquired by Marriott.

Just like the BA case, the investigation into the Marriott data breach was part of an EU-wide effort that was led by the ICO. The Irish data protection watchdog is also investigating at least 20 cases with an EU scope, concerning companies such as Apple Inc. and Facebook Inc. Its most advanced probe into Twitter Inc. has been delayed due to challenges from other national data regulators to its draft findings.

Regulators are obliged under the EU’s General Data Protection Regulation to seek feedback from all data protection watchdogs in probes with an EU-wide reach. The ICO also sought the green light from other data authorities before adopting a final decision in the BA and the Marriott cases.

(Updates with lawyer comment starting in seventh paragraph)

To contact the reporter on this story:
Stephanie Bodoni in Luxembourg at sbodoni@bloomberg.net

To contact the editors responsible for this story:
Anthony Aarons at aaarons@bloomberg.net

Peter Chapman

© 2020 Bloomberg L.P. All rights reserved. Used with permission.

To read more articles log in. To learn more about a subscription click here.