One of the largest hotel chains in the world, Marriott Hotels will have to cough up £18.4 million ($21 million) in fines after Information Commissioner's Office (ICO) in the U.K. found it responsible for a massive data breach in 2014. Data of 339 million guests was leaked during the breach.
The data included name, phone number, address, passport details, email ID, VIP status and loyalty program number. Hackers first managed to breach into the servers of Starwood Hotels in 2014. But in 2016, it was acquired by Marriott. However, it took two more years to find the breach as the hackers continued to access the information, irking investigators about its lackluster security measures to protect customers' data.
Records of 339 Million Guests Stolen
During the investigations, it was revealed that the hackers uploaded malware to the company server through a web shell and remote access tool. Once they had access, credential harvesting software was used to gather sensitive information.
The problem was that Marriott during the takeover of Starwood never realized the data breach and unknowingly bought the liability as well. Over the four years, hackers scalped records of 339 million guests and it was too late when Marriott identified the breach. The ICO slammed Marriott's lax security measures but said that it had improved.
"Personal data is precious and businesses have to look after it. Millions of people's data was affected by Marriott's failure. thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not," ICO commissioner Elizabeth Denham said. "When a business fails to look after customers' data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect."
While the £18.4m fine seems less for a company of Marriott's size considering the volume of the data breach, the Coronavirus pandemic played a part. The ICO planned to slap a £99m fine as per the General Data Protection Regulation (GDPR). But due to the Coronavirus pandemic and subsequent loss of business, the fine was reduced.
The hospitality industry has been one of the worst affected sectors in the pandemic. As governments around the world imposed lockdowns and banned international flights, holidays, business trips and reservations were canceled, sending the hotel chains down the spiral. The U.S. headquartered hotel chain reported a $234 million loss in the second quarter.
As a result, Marriott has been forced to cut thousands of jobs like other hotel chains. The company said that it expected to lose $85 million a month in 2020 before everything returned to normal. However, considering the severity of the data breach, ICO held Marriott accountable and imposed a reduced fine.
Marriott isn't the only company to pay such fines. Last month, ICO also fined British Airways £20 million for a data breach in 2018. More than 400,000 customers' sensitive data were stolen by the hackers in the attack.