The Office of the Commissioner of Information of the United Kingdom (ICO, for its acronym in English) has communicated to Marriott International that it intends to impose a sanction of 99.2 million pounds sterling (110 million euros) on the hotel chain for breaching the European General Data Protection Regulation (GDPR).
The fine proposed by the United Kingdom is related to the cyber attack that was notified to ICO by Marriott in November 2018, although the vulnerability of the system began in 2014. The North American chain acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
In a statement, the British agency notes that in its investigation found that Marriott "did not perform due diligence when he bought Starwood and should have done more to secure their systems," although he acknowledges that the hotel chain has cooperated in the investigation.
The notification of the sanction follows the one made last Monday to British Airways (BA), belonging to the IAG holding, by the body that in this case raises a penalty of 183.39 million pounds (about 204.6 million euros) for the theft of customer data from the airline's website. 2017
"The GDPR makes it clear that organizations must be responsible for the personal data they hold," said Commissioner Elizabeth Denham, which includes "performing due diligence in making a corporate acquisition and establishing adequate accountability measures to evaluate not only what personal data have been acquired, but also how they are protected. " "If that does not happen, we will not hesitate to take firm action when necessary to protect the rights of the public," he added.
Disappointment in the chain
After the notice of sanction, the president and CEO of Marriott International, Arne Sorenson, has expressed his disappointment about the intention to sanction the chain and has advanced that it will challenge the fine.
Marriott has been cooperating with ICO throughout its investigation of the incident and has ensured that the reserve database of its Starwood brand that was attacked is no longer used for commercial operations.
"We deeply regret that this incident has occurred, we take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott," he said.
Marriott encrypted a maximum of 383 million records affected by the theft of data from reservations made by its customers in hotels of its Starwood brand, from the 500 million initially identified, of which 30 million belonged to the EU.
The hotel giant, which operates more than 30 brands and acquired Starwood two years ago, calculated that the theft could have affected approximately 327 million of these customers. According to their own research, it is believed that the vulnerability began when the Starwood hotel systems were compromised in 2014.
Marriott discovered at the end of November the unauthorized access to the Starwood databases since 2014, one year before it bought the brand, which was pirated for four years, after which an investigation was opened at least five in states of the United States. United and in the United Kingdom.
After the internal investigation, the group identified the theft of approximately 8.6 million payment card numbers, all of them encrypted, some 5.25 million passport numbers without encryption and approximately 20.3 million numbers of passwords. encrypted passport.
(tagsToTranslate) marriott (t) receive (t) fine (t) 110 million (t) theft (t) data (t) client (t) string (t) calculate (t) access (t) allow (t) base (t) subsidiary (t) starwood (t) affect (t) 8 (t) 6 million (t) number (t) card (t) payment