Marriott hotel chain fined $123 million for major data breach

The Marriott hotel chain has become the second largest company to face a severe penalty for non-compliance with the GDPR.

The British regulator Information Commissioner’s Office (ICO) reported a recovery of £ 99 million ($ 123 million) for data leakage, which occurred in 2018.

«The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected», – claims British Information Commissioner Elizabeth Denham.

This data leak was discovered in November 2018, when the company revealed a compromise of the database of its subsidiary Starwood Hotels.

About 339 million guests came into the hands of attackers. The database included guest names, postal addresses, telephone numbers, email addresses, dates of birth, field information, arrival and departure, booking dates, etc. data 8.6 million bank cards.

Read also: British Airways will pay a record penalty for data leakage within the GDPR

An internal investigation has shown that attackers have had access to the system since 2014. An ICO investigation revealed that Mariott did not adequately verify when buying Starwood and did not properly protect its system.

«Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public», — reports in official statement Elizabeth Denham.

However, there is an opinion that for the cyberattack on the hotel network Marriott, during which personal data of 500 million users were stolen, could be responsible cybercriminals associated with the Chinese government.