The prestigious Marriott hotel group faces a fine of up to one hundred million pounds after suffering a data breach that impacted more than 300 million users, website security specialists report. The UK Information Commissioner’s Office (ICO) imposed the fine against the company due to the information security incident arising in the systems of the Starwood hotel company during 2014. Marriott acquired Starwood in 2016, but company executives disclosed this incident until 2017.
In its investigation, the ICO mentions that the hotel chain did not carry out the established procedure after acquiring Starwood, stating that better security measures could have been taken to prevent such incidents.
The fine was established in accordance with the new data protection legislation in force for the European community. As reported by website security specialists, the European Union General Data Protection Regulation (GDPR) came into force last year, authorizing hefty fines for companies that incur data security incidents.
On the other hand, a Marriott spokesman stated that the company is “deeply disappointed by the ICO’s ruling” adding that the regulatory authority’s decision will be appealed. “We cooperated with the ICO throughout the investigation, which determined that the incident occurred due to a cyberattack on Starwood databases”, the spokesman added.
When the incident was publicly disclosed, the hotel group claimed that an unidentified threat actor managed to access the records of around 339 million guests, in addition to another 5 million records stored by the company.
Elizabeth Denham, Information Commissioner, stated that “as established by the GDPR, companies must assume responsibility for the data stored in their systems.” According to the website security experts from the International Institute of Cyber Security (IICS) this involves the implementation of the relevant security measures, as well as the design of a protocol to follow in the event of any information security incident.