Marriott International is one of the best-known US hotel leaders in the world. The European headquarters are in the United Kingdom and in total it manages around 7,300 residential properties, hotels and timeshares.
But unfortunately last year the company received an expected news, it will have to pay a fine of around 18,4 million pounds for breaking the GDPR (General Data Protection Regulation), even if initially the fine was 99 million pounds.
Let’s take a step back to better understand what has happened in recent years. In 2014 Starwood hotels was subjected to a cyber-attack. In 2016 Marriott acquired Starwood, but it was only in 2018 that they discovered the hack ongoing, which therefore lasted four years. In the meantime the data of 339 million customers were hacked and the hackers had a lot of information such as telephone number, name, e-mail address, arrival and departure days and even passport numbers.
Considering that the event took place even before Brexit, the Information Commissioner’s Office (ICO) had the opportunity to intervene on behalf of the European Union in order to investigate and find the company guilty.
According to the British Authority, the Marriott group would not have done everything possible to keep safe the personal data of its customers that were stored in the several computer systems.
The Information Commissioner Elizabeth Denham commented on the fact: ”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not”. She added: “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect”.
After the hack, the ICO recognized the actions promptly taken by Marriott International to contact their customers, to limit damage and above all to improve systems security.