Marriott International Inc – ICO Monetary Penalty Notice
- ICO Data Protection Fining Guidance
- The Data Protection (Adequacy) (United States of America) Regulations 2023
- F.F. v Österreichische Datenschutzbehörde, Case C 487/21
- ICO – updated Guidance on AI and data protection
- ICO Guidance on direct marketing using electronic mail
- Data Protection and Digital Information Bill – Explanatory notes
Marriott International Inc – ICO Monetary Penalty Notice
The ICO decision notice fining Marriott £18.4m for data breaches contains some important points on the technical aspects which gave rise to the breaches and the risks of acquisition of other businesses, in this case Starwood, which may have undiscovered security vulnerabilities.
Multifactor authentication (MFA) issues featured significantly, though these were not taken into account in fixing the penalty due to assurances on which Marriott had relied. Factors considered included insufficient monitoring of privileged accounts, insufficient monitoring of databases, control of critical systems (through whitelisting), and lack of encryption of payment card data and passport numbers.
Marriott’s submission that Article 33 of GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO was rejected: instead, a data controller must be able reasonably to conclude that it is likely a personal data breach has occurred.
See here.
‹ Back to News