Britain's data watchdog has said that it has fined Marriott International £18.4 million for failing to keep customers' personal data secure after a 2014 cyber attack on Starwood Hotels and Resorts Worldwide affected 339 million guest records.
The hack began in 2014, before Marriott offered to buy Starwood Hotels, and affected 339 million guest records.
The Information Commissioner's Office (ICO) said that Marriott failed to put appropriate measures in place to secure customers' personal data from the attack, which was from an unknown source and remained undetected until September of 2018.
Get a FREE Digital Subscription!Enjoy full access to Hospitality Ireland, our weekly email news digest, all website and app content, and every digital issue.
The regulator added that it traced the cyber attack back to 2014, but the penalty only relates to the breach from March 25, 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.
The fine is much lower than the £99.2 million penalty the data watchdog proposed to levy on the hotel operator last year.
The company is also facing a London class action by millions of former guests demanding compensation.
No Plans To Appeals The Decision
"Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations," the hotel chain said.
The personal data may have included names, e-mail addresses, phone numbers and unencrypted passport numbers among other things, the ICO said.