Marriott Hotels fined £18.4 million for failing to keep personal data of guests secure following acquisition of Starwood

Our team: Michelle Waknine


The UK’s Information Commissioner’s Office (ICO) has fined Marriott International Inc (Marriott) £18.4million for failing to keep millions of customers’ personal data secure. Marriott’s breach of the General Data Protection Regulation 2016/679 (GDPR) came to light as a result of an attack on the IT systems of Starwood Hotel and Resorts Worldwide Inc (Starwood) between 2014 – 2018, during which period access was obtained in respect of millions of customer files, including cardholder data. Starwood was acquired by Marriott in 2016, however, the attack was not detected by Marriott until September 2018.

It is estimated that 339 million guest records were affected in total, of which 30.1 million were EEA records. The personal data affected included 18.5 million encrypted passport numbers, 9.1 million encrypted payment cards and unencrypted information including dates of birth, flight information, addresses, telephone numbers, passport information and credit card expiration dates.

ICO’s decision

Whilst the ICO found no evidence of financial harm to the individuals affected, it was found that “there were multiple measures that Marriott could have put in place that would have allowed for the detection of or mitigated the [attack] insofar as it continued after 25 May 2018 [i.e. when the GDPR came into force]” and that there had been “a serious failure to comply with the GDPR”.

Although this features within the top 10 fines issued by the ICO to date, it is significantly lower than the £99million fine the ICO originally planned to issue, as reported here ,  likely due to steps taken to mitigate the effects of the incident on Marriott’s customers, which were acknowledged by the ICO.

Because the breach happened before the UK left the EU, the ICO investigated the incident on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU data protection authorities through the GDPR’s cooperation process.

Lessons to be learned

This decision, together with the £20million fine recently issued to British Airways in relation to a cyber-attack in 2018, again highlights the importance for businesses to take security of its systems very seriously, particularly as recent figures have shown that cybercrime attacks in the UK appear to be at an all time high since the Covid-19 outbreak. Britain’s National Cyber Security Centre has reported that more than a quarter of incidents it responded to over the past year were Covid-19-related.

The decision also highlights the importance for corporate buyers to carry out thorough investigations in relation to security and data protection during the due diligence process from both a compliance and technical perspective, which are often areas that are overlooked or dealt with at a later date following completion of the purchase.  In this case, it was found that Marriott was only able to carry out limited due diligence on Starwood’s data processing databases and systems prior to the acquisition, however, and as Marriott have learnt hard way, it is clear that this will be no excuse.

View by date:

View by author:

Would you like to hear more?