Marriott hit with fine of almost £100m - the price for a guest data breach


As ever, Rob Lands and Mark Stephens are ahead of the curve.

At our Early Check-In hotel breakfast seminar on 20 June 2019, the panel of experts agreed some clear recommendations for hoteliers concerned about cyber-security:

  1. make sure all staff are properly trained,
  2. appoint a chief technical officer at board level, 
  3. insure against cyber-incidents, and 
  4. plan your response in advance for when it happens (because it's a case of when, rather than if).

The fine proposed the by Information Commissioner’s Office of £99,200,396 announced yesterday - to be imposed on Marriott International in respect of criminal data theft from Starwood Hotels' former guest reservation database - is in respect of the UK only. The UK ICO is the enforcement agency for only one of the 28 EU countries subject to GDPR, so there must be a concern that further fines are to come.

As Marriott International has indicated in its SEC filing, it has the right to respond before any final determination is made and a fine can be issued by the ICO.  The company stated that it "intends to respond and vigorously defend its position". 

The next Early Check-In is on 19 September 2019, when we will be looking at hotel operating models.

Quote mark icon

In November 2018, Marriott admitted to the world that half a billion customer records had been stolen by miscreants later publicly identified by US foreign secretary Mike Pompeo as coming from China. Though the hotel chain later scaled that down to a mere 383 million reservations, rather than 500 million individuals' data, the damage had very obviously been done.
featured image