The Information Commissioner's Office (ICO) has fined Marriott £18.4 million over a 2014 data breach, heavily reducing the penalty originally planned due to COVID-19 disruption.
The Marriot hotel group was subject to a 2014 data breach[1] impacting the Starwood resort chain, acquired by Marriott in 2015.
At the time, threat actors were able to infiltrate Starwood systems and execute malware via a web shell, including remote access tools and credential harvesting software.
The attackers were then able to enter databases used to store guest reservation data including names, email addresses, phone numbers, passport numbers, travel details, and loyalty program information.
The compromise continued until 2018, and over the course of four years, information belonging to roughly 339 million guests was stolen. In total, seven million records relating to UK guests were exposed.
See also: ICO fines profiteering UK firm for touting coronavirus products over spam texts[2]
The ICO says[3] the company failed to meet the security standards required by GDPR due to failures to "put appropriate technical or organizational measures in place" when processing data, and as such, the company contravened data protection requirements now enforced through 2018 GDPR regulations.
However, the watchdog acknowledged that "Marriott acted promptly to contact customers and the ICO" once the cybersecurity incident was uncovered, and "acted quickly to mitigate the risk of damage suffered by customers."
The hotel chain, alongside rivals such as Hilton, has been forced to slash thousands of jobs as travel plans, business trips, and holidays were canceled due to the coronavirus pandemic. After posting its first quarterly loss[4] in close to a decade, the company said it expects a cash burn of $85 million a month in 2020.
Due to Marriott's