The Information Commissioner's Office (ICO), has fined Marriott Hotels £18.4 million for a major data breach that affected 339 million guests.
The ICO, UK's data privacy watchdog, said a cyber attack on Mariott Hotels led to a data breach that compromised the names, contact information, and passport details of the hotel chain's guests.
The breach affected 339 million guests, including seven million guest records for people in the UK.
Marriott Hotels data breach
According to the ICO, the hotel firm did not set up appropriate safeguards in place but acknowledged that certain improvements have been made.
The first part of the cyberattack occurred in 2014 at the Starwood Hotels group, two years prior to its acquisition by Marriott.
However, until 2018 when the breach was discovered, the attacker was able to access all affected systems, including names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status, and loyalty program numbers.
Various data types were exposed for different guests, with some having duplicate records for repeat customers, which made determining the exact number of affected people impossible.
The ICO argued that based on requirements under the General Data Protection Regulation (GDPR), the company failed to protect personal data.
ICO commissioner Elizabeth Denham said: "Millions of people's data was affected by Marriott's failure. Thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not."
Marriott released a statement saying it "deeply regrets the incident".
The hotel firm assured: "Marriott remains committed to the privacy and security of its guests' information and continues to make significant investments in security measures for its systems."
"The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests," it added.
Other recent ICO fine and breach
Two weeks ago, the ICO fined British Airways £20 million for a data breach that affected over 400,000 customers.
The ICO fine was for a 2018 breach that affected both personal and credit card data of British Airways customers. The £20 million fine is significantly lower than the £183 million the ICO originally proposed in 2019.
According to the ICO, the fine was smaller because "the economic impact of Covid-19" had been taken into account. Despite the significant decrease in the amount, it is still the largest penalty issued by the ICO to date.
A spokesman for the company stated: "We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation."
During the same month, school payments service provider WisePay reported that its website has fallen victim to a cyber attack between October 2 and October 5.
The cyber attack involved creating a spoof page, which allowed the attacker to gather the payment details of parents who made payments using WisePay to UK schools during that period. According to the firm, the attack affected attempted payments to about 300 schools.
However, WisePay claims that only a small number of parents would have used its system before it was taken offline.
Richard Grazier, managing director at the payments firm, said the type of cashless payments made, including exam fees and school meals. would not be done on a daily basis. He claimed: "Actually, it’s quite a small subset of users of the platform."
The cyber attack was done on a Friday night and was not detected until the following Monday morning at 10:00 BST. Grazier said that upon detection of the attack, Wisepay’s website was taken down.
