ICO to fine Marriott £99m for GDPR data breach

The fine relates to a data breach in November 2018 affecting the personal data of 339m guest records globally – about 30m of those were from the 31 countries in the European Economic Area (EEA) and seven million in the UK.

The data breach related to the Starwood hotels group and dated back to 2014; however it came under Marriott’s responsibility following its acquisition of the business in 2016. The exposure of the information was not discovered until 2018 and the ICO said Marriott failed to do enough due diligence when it bought Starwood.

Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This an include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measure to assess not only what persona data has been acquired but how it is protected.”

Marriott has co-operated with the ICO investigation and improved its security arrangements since these events came to light. Marriott can make representations to the ICO as to the proposed findings and sanction.