Marriott International Faces £99 Million GDPR Fine Following 2014 Data Breach
Following a record £183 million fine recently imposed on British Airways, the UK’s Information Commissioner’s Office (ICO) is now targeting Marriott International, the world’s largest hotel chain, with a proposed £99 million ($123 million) penalty. This action arises from a significant data breach that occurred in 2014, which compromised vast amounts of customer data.
The breach was uncovered in November 2018, when Marriott revealed that an unauthorized intrusion into its Starwood hotels subsidiary had led to the theft of personal information for approximately 339 million guests. This incident underscores a troubling trend as regulators emphasize the necessity for robust data protection measures.
The compromised database included sensitive details such as names, addresses, email data, birth dates, and even unencrypted passport numbers for at least five million individuals, along with credit card information for eight million customers. The ICO reported that nearly 30 million individuals from 31 countries and 7 million UK residents were affected by this breach, highlighting its extensive reach.
During its investigation, the ICO found that Marriott failed to perform adequate due diligence when acquiring Starwood and did not implement sufficient security protocols to protect its systems. The enforcement of the General Data Protection Regulation (GDPR) in Europe mandates that organizations take responsibility for securing personal data, which includes implementing thorough accountability measures during corporate mergers and acquisitions.
Elizabeth Denham, the Information Commissioner, stated that organizations must recognize the value of personal data and their legal obligation to protect it as they would with any other asset. The ICO’s actions indicate a commitment to safeguarding public rights against negligence in data security.
Marriott’s President, Arne Sorenson, expressed disappointment over the ICO’s announcement, signaling the company’s intention to contest the fine. The ongoing scrutiny reflects increased regulatory vigilance in light of GDPR, which has transformed the landscape of data privacy and security across Europe and beyond.
In terms of attack tactics and techniques, the potential use of MITRE ATT&CK framework may include methods such as initial access, through exploitation of unpatched vulnerabilities; persistence, by ensuring backdoor access to the network; and privilege escalation, enabling unauthorized users to gain higher access levels within the system. These tactics illustrate a sophisticated understanding of vulnerabilities by adversaries, emphasizing the critical need for organizations to bolster their cybersecurity defenses.
As data breaches continue to escalate, business owners must prioritize the implementation of rigorous security measures to protect customer information and comply with evolving data protection regulations. The potential consequences of inadequate data security not only involve significant financial penalties but also the erosion of customer trust.
