The UK’s data privacy watchdog Information Commissioner’s Office (ICO) has fined Marriott International £18.4m for a major data breach.

The penalty is related to a cyber-attack that hit Starwood Hotels and Resorts Worldwide in 2014. This hotel group was acquired by Marriott in 2016.

The data breach, which is estimated to have compromised personal details of around 339 million guests, remained undetected until September 2018.

An ICO investigation found that Marriott failed to implement appropriate technical or organisational measures to protect these personal data in compliance with the General Data Protection Regulation (GDPR).

However, the penalised amount, which has been imposed on Marriott, considered the period from 25 May 2018, when GDPR became effective.

The investigation was carried by ICO on behalf of all European Union (EU) authorities, as the incident happened when the UK was part of the EU.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

In a statement, Information Commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The statement also added that Marriott acted promptly on the incident and took prompt action to minimise the risk of damage.

Separately, Marriott International also acknowledged the ICO decision and said that the company ‘deeply regrets the incident’.