The UK's Information Commissioner's Office (ICO) said it has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests. The hack, which is considered one of the largest data breaches in history, took place in 2014 and affected Starwood hotels reservation system, which was acquired by Marriott two years later.
The watchdog said that Marriott failed to put appropriate measures in place to secure customers’ personal data from the attack, which remained undetected until September 2018.
The compromised data may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number, the regulator said.
According to the watchdog, in 2014 an unknown threat actor installed a web shell onto a device in the Starwood system, which provided remote access to data stored on the device. The attacker then installed malware on the system and gained unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Using additional tools the hackers obtained login credentials for additional users within the Starwood network and gained access to the database storing reservation data for the hotel chain’s customers.
ICO added that it traced the cyber attack back to 2014, but the penalty only relates to the breach from March 25, 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.