On 30th October 2020, the Information Commissioner’s Office (ICO) exercised its powers under the GDPR once again by fining the Marriott Hotels chain £18.4 million for failing to keep the personal data of its customers secure.
It is estimated that 339 million guest records worldwide were affected by a cyber-attack in 2014 relating to Starwood Hotels and Resorts Worldwide Inc. The cyber-attack was only discovered in September 2018 at which point Starwood Hotels had been acquired by the Marriott chain who were then ultimately responsible.
The ICO has stated that the personal data involved may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, and loyalty programme membership numbers. Following the ICO’s investigation, it was found that Marriott had failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.
In July 2019, the ICO had issued a notice of intent to fine Marriott over £99 million in relation to the breach. However, in reducing this amount to £18.4 million, the ICO has taken into account the steps Marriott have taken to mitigate the effects of the breach and also the economic impact of COVID-19. This is the same approach taken with the recent decision last month to fine British Airways £20 million for a data breach in 2018 when the original intention had been to fine £183 million.
However, these are still significant fines and demonstrate the important role of the ICO and the significance of their powers under the GDPR and Data Protection Act 2018. As originally highlighted when the GDPR was introduced in 2018, any substantial data breaches now carry much more severe consequences than under previous data protection law.