The ICO has fined Marriott International Inc. more than $232.8 million (£18.4 million) for failing to keep millions of customers’ personal data secure. 

Marriott estimates that 339 million guest records worldwide were affected following a cyberattack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott. 

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty program membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK. The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).\

The ICO’s investigation traced the cyberattack back to 2014, but the penalty only relates to the breach from May 25, 2018, when new rules under the GDPR came into effect. Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process. In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.

Commenting on the news Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, says, “Large organizations have an extremely challenging problem. They have a lot of legacy machines, networks, and privileged identities, but its protection is spread across business units that came in via acquisitions and are understandably disconnected. These organizations cannot sometimes move at the speed of attackers to tighten defenses, and it is worth noting that they did indeed respond quickly and responsibly. That said, imposing reasonable fines is indeed a good way to make measuring and improving data risk a board-level priority. And this can only be good for both customers and enterprises that host their data.”

Hank Schless, Senior Manager, Security Solutions at Lookout, says, “Regulations like GDPR and CCPA exist to ensure your customer and employee data is not put at risk. Mobile devices are full of this data and have the same access to company data as any desktop or laptop."

He adds, "Smartphones and tablets now have just as much access to corporate data as traditional endpoints like desktops and servers. More employees are using these devices to stay productive while working from home, which increases the spectrum of data access. With mobile apps being an integral part of our personal and professional lives, most of us don’t think much about the serious risks they may introduce into our organization. Your employees may believe these apps are innocuous, but permissions and data access in personal apps could violate compliance requirements."

"Including iOS, Android, and ChromeOS devices in your compliance strategy is now a key part to ensuring alignment to these standards. Without treating them with the same level of importance as your traditional endpoints, you are leaving a gap in your security and compliance posture. Most data breaches start with a phishing attack, and without proper protection in place, those attacks have high success rates on mobile," says Schless. "When evaluating a mobile security tool, the number one priority should be ensuring that it is built with end-user privacy in mind. In the case of mobile phishing, the tool should be able to protect against these attacks without inspecting the message content in order to preserve end-user privacy.”