Marriott finds financial reprieve in reduced GDPR penalty

Dive Brief:

The U.K.'s Information Commissioner's Office (ICO) decreased Marriott International's fine by $100 million, to $23.8 million (£18.4 million) for the breach it disclosed in 2018, according to an announcement Friday.
The original $124 million (£99 million) fine was issued in a Notice of Intent in July 2019. Between the notice and now, ICO "considered representations from Marriott" and its mitigation process. It also took into account "the economic impact of COVID-19 on their business before setting a final penalty," the ICO said.
The ICO determined "there were failures by Marriott to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems" and failed requirements of GDPR.

Dive Insight:

Marriott's cyberattack was an intrusion made in 2014, on a server owned by Starwood Hotels and Resorts Worldwide. The unauthorized access went unnoticed, and the compromised server was inherited by Marriott in its 2016 acquisition of Starwood.

In November 2018, Marriott determined at least 339 million guest records were impacted, including 7 million U.K. residents.

Because the initial intrusion occurred before the U.K. separated from the EU, the "ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR," according to the announcement. Other GDPR watchdogs gave the ICO approval for the penalty.

When the fine was announced in 2019, the ICO said Marriott's breach was the result of failing to "undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems." It took about two years for an internal security tool to detect the access.

With pandemic-induced business constraints, Marriott's Q2 2020 total operating loss reached $154 million. Net loss totaled $234 million in Q2 2020, whereas 2019's Q2 net income was $232 million, according to the filing.

"Unlike some of the classic economic recessions, it's not like you can take price to necessarily drive additional demand and I think that is part of the overall picture is that there isn't quite the same sort of pressure in that regard," said EVP and CFO Leeny Oberg, during the earnings call in September. Marriott expects to continue to see "pockets" of low demand, which could impact corporate negotiations and partnerships.

Under GDPR, Marriott's data breach was a case of negligence, not an intentional abuse of data. The ICO took a similar approach with British Airway's planned fines filed just before Mariott's in 2019. The initial fine, a record-breaking $230 million (£183.39 million), was set for a data breach that compromised more than 400,000 customers in 2018.

In October, the ICO settled on $25.8 million (£20 million) for British Airway's 2018 data breach. In the time since the discovery of the intrusion in 2018, two months after its occurrence, the ICO said the airline "ought to have identified weaknesses in its security and resolved them. If BA had done so, it "would have prevented the 2018 [cyberattack] being carried out in this way."

While British Airways' fine is still the "biggest to date" for the ICO, the watchdog "considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty," as the airline industry is strained under current circumstances.