Connect with us


Marriott faces £99m fine over massive customer data breach

The Marriott International hotel chain is facing a £99m fine relating to a data breach that is believed to have affected around 339 million customers globally.

The Information Commissioner's Office (ICO) said the penalty related to hacking that is believed to have targeted the systems of the Starwood hotels group in 2014 – two years before it was bought by US-based Marriott.

The database breach was not disclosed until last year.

It was also revealed at that time that the FBI was leading an investigation.

Image: The ICO is intending to fine BA over a similar customer data breach

The ruling accused the hotel chain of failing to undertake due diligence when it bought Starwood and said more should have been done to secure its systems.


It is the second major fine imposed by the ICO under tough data protection rules, known as GDPR, that were introduced by the EU in 2018.

British Airways said on Monday it would contest a £183m fine for a similar breach that saw the personal details of 500,000 people compromised.

More from Business

  • Economic growth picks up in May driven by car production

  • 'Rushed and risky' no-deal Brexit ferry contracts cost £85m

  • Vodafone pay row looms amid City fury at dividend cut

  • Superdry sees tough times ahead as it swings to £85.4m loss

  • Virgin Galactic valued at £1.2bn in flotation plan

  • BMW launches UK-produced Mini Electric despite Brexit concerns

Marriott indicated it would also appeal the UK regulator's penalty.

It is believed details of seven million UK customers were affected by the hacking.

Information Commissioner Elizabeth Denham said: "The GDPR makes it clear that organisations must be accountable for the personal data they hold.

"This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Marriott International chief executive Arne Sorenson said: "Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

"We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."

Continue Reading