Marriott facing nearly £100m over GDPR breach

Less than a day after the technology world was shocked to see British Airways face a potential £183m fine for a data breach, the ICO has issued a notice of its intention to  impose a £99.2m fine on international hotel group Marriott after hackers stole the records of 339 million guests. 

The data breach was discovered in November 2018 but the ICO investigation showed that the vulnerability began when the systems of the Starwood hotels group (subsequently acquired by Marriott in 2016) were compromised in 2014. The personal data stolen includes credit card details, passport numbers and dates of birth... The hacked guest records related to residents from around the whole globe including 31 countries in the European Economic Area. Seven million records related to   the UK residents.

The ICO said Marriott had failed to undertake sufficient due diligence when it acquired Starwood.  

Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”

Marriot said it would appeal against the fine.

Whilst we don’t yet know whether the level of the fine indicated is what Marriott actually end up paying (Marriott will be able to argue its case before the ICO), one of the arguments they might love to run is that “it wasn’t us guv”. The ICO will give this limited consideration because it is the entity which is the controller which will face the fine – whether the shareholding in that entity has changed is neither here nor there from the ICO’s point of view.

What is perhaps more interesting to consider is the extent to which Marriott will have any recourse against the erstwhile owners of the Starwood group. The basic starting point is “buyer beware” – ie Marriott bears the risk. However, that is where the warranties and indemnities that would have been in the purchase agreement will come into play and whether that allows Marriott to bring a claim against Starwood’s owners – we are only likely to find out the answer on that if it ends up in court.

It also raises the question of whether Marriott did sufficient due diligence on the Starwood group. We can assume that if it was done, it didn’t pick up the historic breach which leads to the conclusion that either they didn’t do enough due diligence or that any amount of due diligence would not have uncovered this security vulnerability (especially in a corporate due diligence scenario). The take away for anyone looking to acquire a business that has any significant personal data is, before signing on the dotted line, to (a) ensure that security due diligence is adequate by doing some digging on the target’s cyber security profile; and (b) ensure that it has full warranties from the seller that the target has not suffered any security breaches and has implement state of the art cyber defences, before signing on the dotted line.