Photo credit: Kgbo / CC BY-SA 4.0

The information commissioner’s office fined the hotel chain Marriott International £ 18.4 million for a cyberattack that went undetected for four years and potentially compromised up to 339 million guest records.

It is the second time in two weeks that regulators have imposed a multi-million pound fine after being hit with a record £ 20 million fine earlier this month.

In both cases, however, the penalties were greatly reduced from what was originally intended; In July 2019, the ICO announced that a £ 99 million fine was planned for Marriott.

The final fine of £ 18.4million is an 82% reduction.

In BA’s case, the proposed £ 183m levy was an 89% decrease.

For both companies, the regulator said it lowered the fines after hearing their statements during the appeal process and considering “the economic impact of Covid-19 on their business”.

Information Commissioner Elizabeth Denham announced the Marriott penalty, saying, “Personal information is valuable and businesses need to take care of it. Millions of personal data were affected by the failure of Marriott. Thousands contacted a hotline and others may have had to take steps to protect their personal information because the company they trusted hadn’t. If a company fails to perceive customer data, the impact isn’t just a potential fine. Most important is the public, whose data they need to protect. “

Related content

The hotel chain said it would appeal the £ 18.4 million fine – but that it “accepts no liability in relation to the decision or the underlying allegations”.

“Marriott has been fully cooperative throughout the investigation, as confirmed by the ICO,” the company added. “Marriott deeply regrets the incident. Marriott continues to be committed to the protection and security of its guests’ information and continues to invest heavily in security measures for its systems, as recognized by the ICO. The ICO also recognizes the steps Marriott took after the incident was discovered to promptly inform and protect the interests of its guests. “

The attack in question was launched by an unknown attacker in 2014, according to the ICO. The destination was Starwood Hotels and Resorts – a company acquired by Marriott in 2016.

“[The] The attacker installed code called a “web shell” on a device in the Starwood system so that he can remotely access and edit the contents of that device, ”the regulator said. “This access was exploited to install malware so that the attacker could have remote access to the system as a privileged user. As a result, the attacker would have unrestricted access to the device in question and other devices on the network to which that account would have had access.

“The attacker installed additional tools to gather credentials for additional users on the Starwood network. These credentials were used by the attacker to retrieve and export the database that contains reservation data for Starwood customers. “

The attack was only discovered in September 2018 – four months after the EU General Data Protection Regulation came into force – and the ICO was notified shortly afterwards. Marriott has estimated that approximately 339 million guest records were affected by the attack.

The £ 18.4 million fine imposed on the hotel chain is not only heavily subtracted from the original figure, but is also well below the maximum penalty allowed under the GDPR and the new UK Data Protection Act.

Prior to 2018, the maximum penalty available to the ICO was £ 500,000 across the board. However, the new laws have given the watchdog the power to punish data protection violations with fines of around £ 18 million, or 4% of the organization’s global sales, whichever is greater.

For Marriott, which had sales of $ 21 billion in 2019, this could have resulted in a fine of up to £ 650 million.