The fine imposed by the British security observer on the hotel unit Marriott due to this data breach, decreased by 14,4 23,8 million (~ $ 99 million) from 123 XNUMX million ($ XNUMX million).
The data breach took place in 2014 and concerned the hotel network Starwood and was not discovered before November 2018.
The personal data involved in infringement differed between individuals, but the ICO said it could include names, addresses e-mail, telephone numbers, passport numbers without encryption, arrival / departure information, VIP guest list and loyalty program membership number.
Worldwide, some 339 million visitor files were affected, but fewer are believed to have been compromised because some of the files were duplicates. The breach is estimated to have affected about 30 million users across the EU, according to a previous ICO assessment.
In a statement, UK Information Commissioner Elizabeth Denham said: "Millions of people have been affected by breach of Marriott. Thousands have contacted the helpline and others may need to take legal action to protect their personal information, as the company they trusted did not. When a business fails to take care of its customers' data, the impact is not just a potential fine. "What matters most is the public whose data they ought to protect."
The initial penalty imposed by the ICO for breach of Marriott would be one of the largest fines imposed under GDPR. The first proposed amount represented about 3% of the company's revenue for 2018, but with the reduction it shrank to about 0,6%. This decrease is due in part to pandemic.
Regarding the reduction of the size of the sentence, Marriott said that it reflects the "extended mitigation measures" that were implemented after the security incident. He also stated that he has created a special website to provide information to interested visitors and has opened a special helpline. In addition, it sent "millions" of email alerts to individuals whose information is involved in the breach. He also said he offered visitors the opportunity to sign up for a personal information tracking service where available.