Last year, The Burn-In reported that Marriott International suffered a massive data breach which left hundreds of millions of its customer records exposed. After disclosing that it had been hacked, the hotelier became the subject of two class action lawsuits and a regulatory investigation. Now, the company has received a nine-figure fine because of its lax data security practices.
The $123 Million Fine
On Tuesday, Britain’s Information Commissioner’s Office (ICO) fined Marriott £99.23 million ($123.69 million) for violating the European Union’s (EU) General Data Protection Regulation (GDPR). The agency explained it issued the levy because the company didn’t do enough to protect its customers’ information.
Marriott admitted hackers stole 339 million of its guests’ records, including their credit card details and passport information, last year.
The UK regulator took action against the American hospitality corporation because 30 million EU citizens had their personal information exposed in the November 2018 data breach. Consequently, the GDPR gives the ICO the authority to fine Marriott four percent of its annual global revenue. In February, the hotel and resort giant announced that it grossed $1.907 billion last year.
The ICO holds that the temporary lodgings firm helped facilitate the hack by not performing due diligence on one of its acquisitions. In 2014, cybercriminals gained access to the database of Starwood Hotels & Resorts. Two years later, Marriott bought Starwood for $13.6 billion. However, the firm didn’t realize its new subsidiary’s system was compromised until 2018.
Under the GDPR, corporations are responsible for protecting the personal data they possess. As such, the ICO’s position is that Marriott failed to verify the integrity of Starwood’s digital infrastructure. However, the multinational hotelier disagrees with the agency’s findings and has announced it will contest the fine.
The Cost of Accountability
Marriott isn’t the only corporation to receive a massive data breach sanction recently.
On July 8, the ICO hit British Airways with a £183 million ($228 million) levy for failing to protect the records of 500,000 of its customers. In June 2018, hackers penetrated the airline’s systems and accessed the names, addresses, and payment information of half a million consumers.
The ICO determined British Airways was partially responsible for the breach because of its “poor security arrangements.”
The airline announced it would appeal the fine, which represents 1.5 percent of its 2018 income.
Similarly, Yahoo agreed to pay $117.5 million to its 3 billion users because it failed to protect its users’ information from cybercriminals. As of this writing, the tech company’s settlement represents the largest common fund data breach payout in history.
However, Yahoo’s staggering civil penalty may be eclipsed by the end of this year. Currently, Facebook is in negotiations with the Federal Trade Commission (FTC) to close its investigation into the Cambridge Analytica scandal. As the FTC reportedly holds the social media service responsible for exposing the personal data of 87 million people, it’s considering fining the firm between $3 billion and $5 billion.
As data breach fines and settlements are becoming increasingly expensive, large corporations that don’t prioritize data security do so at their peril.