Marriott Faces $123 Million GDPR Fine for 2018 Data Breach

The UK Information Commissioner’s Office (ICO) intends to fine Marriott International Inc £99,200,396 ($123,705,869 / €110,385,736) for infringing the General Data Protection Regulation (GDPR) according to a press release published today.

The ICO is UK’s independent regulator for information rights and data protection law, protecting information rights in the public interest, as well as encouraging data privacy for individuals and openness by public entities.

The fine is related to the data breach of the guest reservation database of the Starwood hotels group from 2014, prior to Marriott acquiring the company. However, the cyber incident was not discovered until 2018, two years after Starwood's acquisition.

"The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems," says the ICO statement.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."

Arne Sorenson, Marriott International’s President and CEO, expressed the company's disappointment after stating in a filing with the US Securities and Exchange Commission (SEC) that Marriott cooperated with the ICO throughout the investigation:

Also, Marriott's SEC filing says that the Starwood guest reservation database which was compromised in the November 2018 breach is no longer in use as part of the company's day to day business operations.

Marriot will have the opportunity to make representations to the ICO regarding the findings and sanction resulting from the investigation before the final decision is taken by the lead supervisory authority on behalf of all other data protection authorities across the EU.

British Airways also at risk of a record $228,706,585 GDPR fine

The ICO also expressed its intention to fine British Airways £183.39 million ($228,706,585 / €204,084,034) under GDPR after concluding an investigation related to the personal data of around 500,000 customers being compromised as part of a cyber incident from September 2018.

As later discovered, British Airways was the victim of a Magecart card scraping attack that used a web-based card skimmer to steal payment card information from the airline's customers.

"This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer," as digital threat management company RiskIQ said in a report at the time.

"The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information," says the supervisory authority statement from yesterday.

Google's GDPR struggles 

In January, Google was hit with a €50 ($56,8) million financial penalty under the GDPR by the Commission Nationale de l’informatique et des Libertés (CNIL) for not obtaining user consent for processing data for ads personalization purposes and for violating transparency and information obligations.

Google was also on the receiving end of the largest ever fine for a tech firm in EU's history when it got a financial penalty of €4.34 billion ($5.04 billion) for breaking antitrust policies with Android.

The US search giant GPDR troubles haven't yet ended seeing that the Irish Data Protection Commission (DPC) is also investigating if Google's processing of personal data collected as part of Ad Exchange online advertising transactions is breaching GDPR regulations.