The ICO (Information Commissioner's Office) is the equivalent of the French CNIL.The agency fined the international Marriott group following the leak of customers' personal data in 2018.
In November 2018, cybercriminals hacked into a database containing reservations dating from 2014 to 2018.
The data of approximately 383 million Marriott customers was reportedly affected. According to the analysis, hackers stole customer records, passport numbers, and bank details.
The ICO protects users' rights
According to the authority, Marriott's security breaches violate the GDPR (European Union General Data Protection Regulation). As a result, the ICO has decided to impose a fine on Marriott.
Elisabeth Denham, ICO Commissioner, said: "Personal data has real value. [...] Companies have a legal obligation to ensure its security, just as they would with any other asset. If this does not happen, we will not hesitate to take radical measures if necessary to protect users' rights." (source: zdnet.fr).
Marriott challenges ICO decision
Disappointed by the "ICO's statement of intent," Marriott decided to contest the decision. It therefore announced its intention to appeal the court's ruling:
"We deeply regret that this incident occurred. We take the confidentiality and security of customer information very seriously," said Arne Sorenson, President and Chief Executive Officer of Marriott International.
He also stated that the Marriott group had terminated the Starwood reservation system that had been compromised earlier in the year.
This is the second announcement by the ICO concerning proposed fines for a large organization for GDPR violations, following the British Airways case.
