The British authority, Information Commissioner’s Office (ICO) has fined The hotel group, Marriott, of £ 18.4 million for failing to securely store personal data of millions of customers.
It is estimated that 339 million guest records worldwide were affected in a cyber attack on Starwood Hotels in 2014. The attack from an unknown source was not detected until September 2018, when the company was acquired by Marriott.
The ICO’s investigation concluded that Marriott was unable to implement appropriate technical or organizational measures to protect the personal data processed in its systems, as required by the General Data Protection Regulation (GDPR).
Information Commissioner, Elizabeth Denham, said:
”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Although the violation started in 2014, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.
In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.
