Why Marriott International, Inc is fined by UK ICO’s – A Response to Marriott US SEC filling

UK ICO (UK’s data privacy regulator) has fined the giant hotel chain, Marriott International with a £99 million, approximately $123 million for infringements of the General Data Protection Regulation (GDPR).

After the announcement of the fine imposed by UK ICO the company’s share fell 1.5% to $139.20.

The hotel chain announced in November, the largest and biggest data breach in history that 500 million guests at it’s Starwood hotels may have it occurred in 2014. The hackers had been accessing the Starwood’s guest reservation system since 2014. The intrusion was first noticed on September 8 and on November 19, investigation confirmed this security incident. The compromised data included names, mailing address, phone numbers, email address, passport numbers, dates of birth, genders, arrival and departure information, reservation data. Compromised data also included financial data, payment card number and payment card expiration dates.

According to the ICO, the security incident compromised personal data of 339 million guest records, out of which 30 million records of people from 31 countries in the European Economic Area (EEA), also 7 million United Kingdom residents suffered by this security incident.

As per ICO’s Marriott didn’t take proper diligence when they acquired Starwood. And ICO’s says Marriott should also had done more to secure its system.

Information Commissioner Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
“Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.”  - securityaffairs reports

Here, you can find Marriott International, Inc’s filling with US Securities and Exchange Commission that the Information Commissioner’s Office (ICO) intends to fine it for breaches of data protection law.

Marriott International Update on Starwood Reservation Database Security Incident :

Marriott International announced that the UK Information Commissioner’s Office (ICO) has communicated its intent to issue a fine in the amount of £99,200,396 against the company in relation to the Starwood guest reservation database incident that Marriott announced on November 30, 2018. Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position.

Marriott International’s President and CEO, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

For more information about the Starwood guest reservation database incident, please visit https://info.starwoodhotels.com

To read full response report please visit : – https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/