£ 99 million fine for the hospitality company

£ 99 million fine for the hospitality company

Large companies and brands around the world must be vigilant. If they fail to comply with sufficiently strong security measures, they could face penalties of up to tens of millions of euros. By way of example, two companies have already paid for their negligence.

Sanctions for companies based in England

The Information Commissioner's Office of the United Kingdom of Great Britain and Northern Ireland imposed a fine of up to £ 183 million on British Airways for violating GDPR. This was due to the fact that the aviation giant negligently made payment details and personal information of more than 500,000 customers available.

In the same week, Marriott International's global diversified hospitality company was also sanctioned for serious security breaches. The fine imposed amounted to £ 99 million. This incident, which occurred in 2018, resulted in the disclosure of more than 339 million records of hosting services to hackers.

Long-lasting problem

The most shocking is how long it took Marriott to detect the size and extent of the breach of its security system. The origins of this event date back to 2014, before the company bought another Starwood Hotels in 2016. The failure of Marriott to take appropriate measures upon taking over Starwood Hotels is undeniable.

Marriott was unable to detect that the Starwood guest booking database was attacked by hackers at the time. Nor did it find that hackers had access to guest records, their payment details and even personal passport data. Although Marriott determined a data breach in September 2018, it waited until November 2018 to file a report about it.

Millions of data at risk

The magnitude and scale of Marriott's security breach is truly extensive over the years. Initially, they reported that 383 million guest records were at risk. Later, they reduced the number to 339 million. In addition, 18.5 million encrypted passport numbers, 5.25 million uncoded passport numbers, 9.1 million encrypted credit card numbers, and 385,000 credit card numbers valid at the time of the security breach were at risk too.

How to prevent it?

Organizations must implement security solutions that scan and monitor not just assets owned and managed by the company, but also all third party systems. Their aim should be to identify vulnerabilities that could potentially be abused. The only way to avoid violations and thus sanctions is to peg and resolve vulnerabilities.