The Information Commissioner’s Office (ICO) has issued a monetary penalty notice fining Marriott International Inc (Marriott) £18.4 million for breaching its data security obligations under GDPR, leaving about 339 million guest records worldwide exposed to a cyber-attack on Starwood Hotels and Resorts Worldwide Inc’s (Starwood) reservation database in 2014.
Indeed, the ICO traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when the GDPR became applicable. As the breach occurred before the UK left the EU, the ICO investigated this on behalf of all of the EU authorities as a lead supervisory authority under the GDPR.
The amount imposed is a significant reduction on the £99,200,96 million the ICO announced it intended to fine Marriott in July 2019. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
It follows hot on the heels of the ICO fining British Airways £20 million for a cyber-breach, the largest fine imposed to date for a breach of the GDPR.