ICO fines Marriott 18.4 million pounds for failing to secure customer data

(Reuters) - Britain’s data watchdog said on Friday it has fined Marriott International 18.4 million pounds ($23.98 million) in a six-year old cyber attack on its Starwood hotels reservation system in one of the largest data breaches in history.

The hack began in 2014, before Marriott offered to buy Starwood Hotels, and affected 339 million guest records.

The Information Commissioner’s Office (ICO) said that Marriott failed to put appropriate measures in place to secure customers’ personal data from the attack, which was from an unknown source and remained undetected until September 2018.

The regulator added that it traced the cyber attack back to 2014, but the penalty only relates to the breach from March 25, 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.

The fine is much lower than the 99.2 million pounds penalty the data watchdog had proposed to levy on the hotel operator last year.

The company is also facing a London class action by millions of former guests demanding compensation.

“Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations,” the hotel chain said.

The personal data may have included names, email addresses, phone numbers and unencrypted passport numbers among other things, the ICO said.

Reporting by Tanishaa Nadkar in Bengaluru; Editing by Shailesh Kuber