Marriott International Inc (NASDAQ:MAR) has been fined £18.4mln by the UK Information Commissioner’s Office (ICO) for a data breach that went on for four years.
Starwood Hotels and Resorts Worldwide Inc. suffered the cyberattack in 2014, which remained undetected until September 2018, by which time the company had been acquired by Marriott.
Details including credit card and passport numbers of 339mln customers were, with records of around 7mln UK customers being accessed.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
The precise number of people affected is unclear as there may have been multiple records for an individual guest, the ICO said.
An investigation revealed that the hotelier failed to implement appropriate technical or organisational measures to protect its customers.
The data watchdog initially proposed a £99.2mln fine for the hotel chain last year, though it said it “considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.”
Similarly, International Consolidated Airlines PLC’s (LON:IAG) British Airways received a reduced fine for a data breach considering its financial struggles amid the pandemic.
The £20mln fine, considerably cut down from £183mln, was still the largest ever handed out by ICO, which said BA’s failure to act was unacceptable.
Shares dipped 1% to US$92.29 at open on Friday.