The Information Commissioner’s Office (ICO) has fined Marriott International £18.4m over a hack of its Starwood customer database, which saw the data of millions of guests compromised.
Marriott said it does not intend to appeal the decision but added that it made no admission of liability in relation to the decision or the underlying allegations.
The decision brings an end to the two-year UK and EU regulatory investigation, which found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems as required by the General Data Protection Regulation (GDPR).
Marriott said it “deeply regrets the incident” and “remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems”.
In a statement the company said: “Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.”
Marriott estimated that 339 million guest records worldwide were affected following a cyber attack in 2014 on Starwood Hotels and Resorts. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
In 2014, the attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system, giving them the ability to access and edit the contents of the device remotely.
This access was exploited to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.
Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
The precise number of people affected is unclear as there may have been multiple records for individuals. Seven million guest records related to people in the UK.
The ICO acknowledged that Marriott acted promptly to contact customers and the ICO, acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.
Information Commissioner Elizabeth Denham said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”