The Information Commissioner’s Office (ICO) has issued a fine of £18.4 million to Marriott International, for “failing to keep millions of customers’ personal data secure”.

The fine relates to a cyber attack on Starwood Hotels and Resorts in 2014, which remained undetected until September 2018 (by which time Starwood had merged with Marriott).

The hotel group estimates that 339 million guest records were affected by the data breach, although the ICO noted that “The precise number of people affected is unclear as there may have been multiple records for an individual guest”.

The ruling follows a £20 million fine to British Airways last month, in relation to a data breach in 2018.

British Airways fined £20 million for 2018 data breach

And like BA, Marriott could have faced a much larger fine than that which was eventually imposed, with the ICO suggesting last year that a figure of £99 million could be imposed.

The Office said that it “considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty”.

In a statement the ICO said:

“In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.

“This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.

“Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.

“The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.”

Commenting on the ruling Information Commissioner, Elizabeth Denham, said:

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”,