Marriott fined £18.4m under GDPR

The fine relates to a cyber attack in 2014 on Starwood Hotels and Resorts Worldwide, which was not detected until September 2018, when the company had been acquired by Marriott.

The number of guest records affected by the breach is estimated to be 339 million, and seven million guest records related to people in the UK.

Personal data involved may have included names, email addresses, phone numbers and unencrypted password numbers, the ICO said.

An investigation by the regulator found Marriott had failed to put in place ‘appropriate measures’ to protect the personal data being processed, as required by the General Data Protection Regulation (GDPR).

While the investigation traced the cyber attack to 2014, the penalty only relates to the breach from 25th May 2018, when GDPR came into effect.

The ICO initially issued a notice of intent to fine Marriott £99m in July 2019. The regulator said Marriott had promptly contacted customers and the ICO about the incident and has since introduced new security measures.

Information commissioner Elizabeth Denham said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

In a statement posted on the Marriott International website, the company said: “Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations. As the ICO acknowledges, Marriott cooperated fully throughout the investigation.”