Marriott International facing £99 million fine over data hack of customer information
Leading data protection lawyer says customers affected by the breach are now likely to be entitled to compensation for the distress and inconvenience caused, as well as any financial losses suffered.
Posted on 09 July 2019
It is important to remember the seriousness of the data breach. The data breach affected hundreds of millions of customer records worldwide, including seven million relating to UK residents, and involved the exposure of customers’ sensitive personal data."
Sean Humber, Data Protection Lawyer at Leigh Day
The Information Commissioner's Office (ICO), the UK’s data protection watchdog responsible for upholding the public’s information rights, has today issued a Notice of Intention to fine Marriott International £99,200,396 for breach of the General Data Protection Regulation (GDPR) in relation to the serious data hack notified to customers and the ICO in November 2018.
As a result of its investigations, the ICO has today confirmed that a variety of personal data contained in approximately 339 million guest records globally were exposed by the incident including around 30 million relating to residents of the 31 countries in the European Economic Area (EEA) and seven million relating to UK residents.
The ICO further stated that the vulnerability began when the systems of the Starwood Hotels Group were compromised in 2014, which Marriott International subsequently acquired in 2016. However, due to a failure to undertake sufficient due diligence when it bought Starwood as well as failing to do more to secure its systems, Marriott International did not discover the problem until late 2018.
In November 2018, Marriott International stated to customers that the hacked information included a combination of their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences as well as encrypted payment card numbers and payment card expiration dates, although also stated that the two components needed to decrypt the payment card numbers may also have been taken.
Marriott International’s Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. This includes over a dozen Starwood hotels in the UK including the Sheraton Grand London Park Lane Hotel, the Sheraton Heathrow Hotel, the Trump Turnberry Resort and Le Meridien Piccadilly Hotel.
The hotel chain now has an opportunity to respond to the ICO’s findings, including the level of the proposed fine and has said that it intends “to vigorously defend its position”.
Sean Humber, a leading data protection lawyer at Leigh Day who acts for victims of cybercrime said:
“The ICO’s Notice of Intent is an important development. It confirms that, following its extensive investigation, the ICO believes that Marriott International broke the law in failing to take adequate security measures to protect its customers’ information.
“The level of the proposed fine of over £99 million is obviously a significant one. The GDPR allows fines of 20 Million Euros or 4% of annual global turnover, whichever is greater. Given that Marriott International’s turnover was in excess of £16 Billion in 2018, a fine of £99 Million would represent approximately 0.6% of its annual turnover.
“Despite Marriott International’s obvious disappointment at the size of the proposed fine, it is important to remember the seriousness of the data breach. The data breach affected hundreds of millions of customer records worldwide, including seven million relating to UK residents, and involved the exposure of customers’ sensitive personal data that is likely to have caused considerable distress and inconvenience.
“Completely separate from any fine levied by the ICO, Marriott International customers affected by the data breach are likely to be entitled to compensation for the distress and inconvenience caused by the loss of their information, even if they have not suffered any direct financial loss.”