The prestigious Marriott hotel group faces a fine of up to one hundred million pounds after suffering a data breach that impacted more than 300 million users, website security specialists report. The UK Information Commissioner’s Office (ICO) imposed the fine against the company due to the information security incident arising in the systems of the Starwood hotel company during 2014. Marriott acquired Starwood in 2016, but company executives disclosed this incident until 2017.
In its investigation, the ICO mentions that the
hotel chain did not carry out the established procedure after acquiring Starwood,
stating that better security measures could have been taken to prevent such
incidents.
The fine was established in accordance with the
new data protection legislation in force for the European community. As
reported by website security specialists, the European Union General Data
Protection Regulation (GDPR) came into force last year, authorizing hefty fines
for companies that incur data security incidents.
On the other hand, a Marriott spokesman stated
that the company is “deeply disappointed by the ICO’s ruling” adding
that the regulatory authority’s decision will be appealed. “We cooperated
with the ICO throughout the investigation, which determined that the incident
occurred due to a cyberattack on Starwood databases”, the spokesman added.
When the incident was publicly disclosed, the
hotel group claimed that an unidentified threat actor managed to access the
records of around 339 million guests, in addition to another 5 million records
stored by the company.
Elizabeth Denham, Information Commissioner,
stated that “as established by the GDPR, companies must assume
responsibility for the data stored in their systems.” According to the
website security experts from the International Institute of Cyber Security (IICS)
this involves the implementation of the relevant security measures, as well as
the design of a protocol to follow in the event of any information security
incident.
