Following on from the record breaking fine for British Airways earlier this week, the Information Commissioner’s Office (ICO) have announced another hefty fine, this time it’s the international hotel group Marriott who are being fined £99.2m after hackers stole the records of 339 million guests.
In 2016, Marriott acquired Starwood hotels group.
The ICO argue that Marriott had “failed to undertake sufficient due diligence” at the time of acquisition and should have done more to ensure the Starwood IT systems were secure.
Why? Last year it became apparent that the systems of the Starwood hotels group were compromised resulting in personal data including credit card details, passport numbers and much more had been stolen.
Marriott have confirmed that the hacked database was no longer used for business operations.
The ICO have said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the information commissioner. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
With the awareness of GDPR and the rights people have over their own data increasing, the numbers of reported data breaches are going up too. According to a report published in June 2019, “the ICO has received around 14,000 data breach reports over the past year, which quadrupled from records of the preceding year.”
If your company processes personal data, whether you are a large corporation or an SME, you can be fined and/or named and shamed if you do not comply with GDPR guidelines.
At Infuse, we provide GDPR audits to ensure your company is compliant with requirements. For further information, please get in touch by emailing [email protected]