The UK’s Information Commissioner’s Office wants to fine Marriott Hotels £99m over its loss of 383 million customer booking records last year.
The almost-but-not-quite-£100m sum (£99,200,396) was disclosed in a US regulatory filing by Marriott, which said: “Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position.”
A penitent but combative Arne Sorenson, chief exec of Marriott International, added: “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
In November 2018, Marriott admitted to the world that half a billion customer records had been stolen by miscreants later publicly identified by US foreign secretary Mike Pompeo as coming from China. Though the hotel chain later scaled that down to a mere 383 million reservations, rather than 500 million individuals’ data, the damage had very obviously been done.
Among the types of data stolen were unencrypted names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences. The database, which the attackers had been accessing for four years before anyone noticed, was the Starwood Hotels chain’s guest reservation database, since decommissioned.
Marriott bought Starwood for $13.6bn in 2015, with the deal closing a year later. The group made a profit of $1.9bn in FY2018, an increase of nearly $1bn in two years.
Information Commissioner Elizabeth Denham said in response to Marriott’s statement: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott did indeed co-operate with the ICO investigation, according to the regulator, which took the lead on the investigation on behalf of other EU states.
People who booked a hotel stay in any Marriott or Starwood hotel (among others, the group also owns the Sheraton, Ritz-Carlton, and Renaissance brands) should go to Starwood’s web page about the data breach for more information on what the chain has promised to do for affected customers.