,

ICO plans to fine Marriott £99 million

Marriott data breach

The Marriott data breach is one of the most serious data breaches of its kind. The breach put the personal data of 339 million customers at risk. And, today, the Information Commissioner’s Office (ICO) has announced plans to fine the US hotel group £99.2 million.

In a statement, the Information Commissioner Elizabeth Denham said:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

This announcement comes a day after the UK’s data privacy regulator said that it planned to fine British Airways £183m over a separate breach. These huge fines reflect changes in data protection law since the General Data Protection Regulation (GDPR) came into force last year.

However, while the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach. So, if your data was put at risk by Marriott you should now make a data breach compensation claim.

What happened in the Marriott data breach?

On September 8, 2018, Marriott became aware that hackers had managed to access its Starwood guest reservation database. However, when investigating the breach, it was uncovered that cybercriminals had enjoyed access to this database since 2014.

During this time the hackers accessed, copied and removed the private data of millions of customers. The stolen data includes information such as passport numbers, emails, dates of birth, gender and mailing addresses, and in some cases reservation dates. Marriott, also said that it was not able to rule out whether credit card information was exposed.

This theft of personal and financial information could lead to identity and financial fraud. And this has the potential to turn a person’s life upside down.

What did Marriott do wrong?

The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood. It should also have done more to secure its systems.

What happens now?

Marriott will now have an opportunity to make representations to the ICO as to the proposed findings and sanction. It will appeal the proposed fine.

Marriott International’s president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest.”

The ICO will consider carefully the representations made by Marriott, and the other concerned data protection authorities before it makes a final decision.

What can you do if you were affected by the Marriott data breach?

At Hayes Connor Solicitors, we have launched a group action against Marriott for this privacy infringement. The action allows people with the same type of claim to bring it together on a collective basis. This strengthens their overall position and increases their chances of success.

Find out more about group actions.

The Marriott data breach was able to happen as the company failed to implement reasonable and robust security processes. So, claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously is by taking strong and decisive action.

To join our Marriott group action data breach action claim, register with us today. We can help you claim compensation for financial losses, as well as for inconvenience and distress.

We can take on your claim on a no-win, no-fee basis.

TAKE ACTION NOW!

1 reply

Trackbacks & Pingbacks

  1. […] harsher. For example, in the last few weeks, we have seen the ICO warn both British Airways and Marriott Hotels that it is planning to issue fines of £183.39m and £99.2m respectively for data protection […]

Comments are closed.