Marriott fined £18.4m for Starwood Hotels data breach

The UK Information Commissioner’s Office (ICO) has fined US-headquartered Marriott International £18.4 million for failing to keep millions of customers’ personal data secure.

Marriott estimated that 339 million guest records worldwide were affected following a cyber attack in 2014 on Starwood Hotels and Resorts Worldwide. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

Earlier this month, the ICO fined British Airways £20 million - its biggest fine levied so far - for failing to protect the personal and financial details of more than 400,000 customers. That breach took place in June 2018.

The Marriott personal data involved differed between individuals, but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK, said the ICO.

The regulator's investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure - thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

The ICO’s investigation traced the cyber attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

Commenting on the action, Adam Rose, a partner at legal firm Mishcon de Reya, said: “This decision puts an inordinate strain on a buyer of a company - with all its due diligence and warranty protections, Marriott did not uncover the data breach, not least because Starwood didn’t know about it.

“This sort of decision does little to protect individuals, or to help successful businesses grow through acquisitions," he continued, adding: "Marriott did all that it reasonably could when making the acquisition, but is now facing a large fine.”

    Share Story:

Recent Stories


The future-ready CFO: Driving strategic growth and innovation
This National Technology News webinar sponsored by Sage will explore how CFOs can leverage their unique blend of financial acumen, technological savvy, and strategic mindset to foster cross-functional collaboration and shape overall company direction. Attendees will gain insights into breaking down operational silos, aligning goals across departments like IT, operations, HR, and marketing, and utilising technology to enable real-time data sharing and visibility.

The corporate roadmap to payment excellence: Keeping pace with emerging trends to maximise growth opportunities
In today's rapidly evolving finance and accounting landscape, one of the biggest challenges organisations face is attracting and retaining top talent. As automation and AI revolutionise the profession, finance teams require new skillsets centred on analysis, collaboration, and strategic thinking to drive sustainable competitive advantage.