The UK’s data privacy watchdog Information Commissioner’s Office (ICO) has fined Marriott International £18.4m for a major data breach.

The penalty is related to a cyber-attack that hit Starwood Hotels and Resorts Worldwide in 2014. This hotel group was acquired by Marriott in 2016.

The data breach, which is estimated to have compromised personal details of around 339 million guests, remained undetected until September 2018.

An ICO investigation found that Marriott failed to implement appropriate technical or organisational measures to protect these personal data in compliance with the General Data Protection Regulation (GDPR).

However, the penalised amount, which has been imposed on Marriott, considered the period from 25 May 2018, when GDPR became effective.

The investigation was carried by ICO on behalf of all European Union (EU) authorities, as the incident happened when the UK was part of the EU.

In a statement, Information Commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The statement also added that Marriott acted promptly on the incident and took prompt action to minimise the risk of damage.

Separately, Marriott International also acknowledged the ICO decision and said that the company ‘deeply regrets the incident’.