Marriott fined £18.4 million by UK watchdog over customer data breach
The Mariott hotel group has been fined £18.4 by the Information Commissioner’s Office years after a 2014 data breach that affected millions of customers as well as the Starwood resort chain. During the breach, cybercriminals accessed systems to deploy malware through a web shell, using remote access tools as well as credential harvesting software. Customer information was exposed, including names, email addresses, phone numbers, passport numbers, travel details, and some loyalty program information.
The attack went unnoticed until 2018, and at this point, there were 339 million guests impacted, 7 million of which were UK citizens. The ISO has issued the fine claiming that Mariott failed to meet requirements set forth by the GDPR to maintain cybersecurity, as well as failure to apply appropriate preventative measures in place. The company allegedly contravened data protection requirements that are enforced through GDPR regulations distributed in 2018.