UK's ICO Fines Marriott £18.4m For Failing To Secure Customer Data

By Dave Simpson
UK's ICO Fines Marriott £18.4m For Failing To Secure Customer Data

Britain's data watchdog has said that it has fined Marriott International £18.4 million for failing to keep customers' personal data secure after a 2014 cyber attack on Starwood Hotels and Resorts Worldwide affected 339 million guest records.

The hack began in 2014, before Marriott offered to buy Starwood Hotels, and affected 339 million guest records.

The Information Commissioner's Office (ICO) said that Marriott failed to put appropriate measures in place to secure customers' personal data from the attack, which was from an unknown source and remained undetected until September of 2018.

The regulator added that it traced the cyber attack back to 2014, but the penalty only relates to the breach from March 25, 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.

The fine is much lower than the £99.2 million penalty the data watchdog proposed to levy on the hotel operator last year.


The company is also facing a London class action by millions of former guests demanding compensation.

No Plans To Appeals The Decision

"Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations," the hotel chain said.

The personal data may have included names, e-mail addresses, phone numbers and unencrypted passport numbers among other things, the ICO said.

News by Reuters, edited by Hospitality Ireland. Click subscribe to sign up for the Hospitality Ireland print edition.