In its second statement of intent of the week, on 9 July 2019, the UK’s Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc (“Marriott”) £99.2m under the General Data Protection Regulation (“GDPR”) for a personal data breach that occurred in relation to the Starwood guest reservation database system.
The breach is believed to have started when Starwood hotels systems were affected by a cyber-attack in 2014. The breach was uncovered and notified to the ICO in November 2018, two years after Starwood's acquisition by Marriott. Personal data contained in over 330 million guest records were exposed by the incident. About 30 million records related to individuals from over 30 countries in the European Economic Area (EEA). Around 7 million records related to individuals located in the UK.
The ICO determined that Marriott should have taken additional steps to review and secure the IT infrastructure used by Starwood. The ICO noted that Marriott had co-operated with the investigation conducted by the ICO and had improved its security practices since the incident. Marriott has been invited to make further representations to the ICO about the calculation of the fine before the ICO takes its final decision. The ICO has said that it will carefully consider any representations made by Marriott and the other European data protection supervisory authorities before it makes its final determination.
Under the GDPR, a data protection supervisory authority can issue a maximum fine of up to 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year of the relevant undertaking for a serious violation of the GDPR, whichever figure is higher.