Namely, in November 2018, Marriott issued an announcement about the incident which led to the data breach of their guests that dates back to 2014. Marriot acknowledged that the database of the Starwood reservation database had been compromised by the cyberattack and that the personal data of its guests have leaked. Marriot acquired the Starwood Hotels & Resorts Worldwide in 2016. However, the exposure of the guests’ personal data continued until 2018, when this long-running breach was discovered.
After the investigation was conducted, the ICO stated that approximately 339 million guests’ records are affected by this incident globally. Among them, around 30 million present the records related to the residents of 31 countries that are members of the European Economic Area and around 7 million are related to the UK residents. The famous hotel chain has exposed its guests’ sensitive personal data that include their names, e-mail addresses, credit card details, details of birth, gender, arrival and departure information.
The ICO’s investigation of the data breach has found that Marriot failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.
The Information Commissioner, Elizabeth Denham, emphasized in her statement that “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired but how it is protected”.
Marriott intends to appeal the decision.