Hotel firm Marriott to be fined £99m for data breach

Andrew Cummings
July 11, 2019

The UK's Information Commissioner's Office (ICO) plans to fine hotel giant Marriott International£99 million (about $123 million) for a data breach that exposed the sensitive data of 339 million guests.

In a statement, the UK's Information Commissioner's Office (ICO) alleged that the hotel chain violated Europe's General Data Protection Regulation (GDPR) by not taking action for several years as the breach unfolded.

The Nasdaq-listed hotel operator had announced a massive breach of its Starwood reservation database on 30 November 2018, reporting that it could have affected up to 500 million customers.

For some, the pilfered info also included payment card numbers and expiration dates, with Mariott admitting in November that those numbers were encrypted.


The ICO has ruled that Marriott failed to undertake "sufficient due diligence" when it bought Starwood and should have done more to bolster security.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset", Denham continued.

We are disappointed with this notice of intent from the ICO, which we will contest.

Marriott reported that as of December 31, 2018, Starwood-branded hotels are no longer using the Starwood reservation system that had been breached. The Marriott fine is the second GDPR-related fine the ICO has announced this week. The union has some of the strictest laws against data breaches of any country or group in the world, and it's coming down hard on companies that fail to protect their consumers' sensitive data.


"We deeply regret this incident happened", the statement continued.

"Although this may come as a blow to a company such as BA or Marriott, they are robust enough to weather the storm".

"Yesterday's £183m and today's £99m fines have solidified GDPR as a very serious piece of legislation, and one that is putting an organisation's cyber security challenges and budget into an entirely new context". Initially, the company said hackers stole the details of roughly 500 million customers before revising the number down. As the ICO's announcement regarding the British Airways' incident demonstrates, the potential consequences of breaching the GDPR can be significant.

"People's personal data is just that - personal". "That's why the law is clear - when you are entrusted with personal data you must look after it".


Sorenson appeared before the U.S. Homeland Security & Government Affairs Permanent Subcommittee in March to report on Marriott's efforts to secure its systems since the breach.

Other reports by iNewsToday

FOLLOW OUR NEWSPAPER