Marriott facing $178m GDPR fine

By Dylan Bushell-Embling
Thursday, 11 July, 2019

Marriott facing $178m GDPR fine

Hotel chain Marriott International is facing a £99.2 million ($178.25 million) fine over a massive data breach that exposed around 339 million customer records.

The UK's Information Commissioner's Office (ICO) has issued a notice of intent to issue the fine under the EU's General Data Protection Regulation (GDPR).

Marriott reported the cyber incident to the ICO in November last year, revealing that it believes hackers had compromised the systems of the former Starwood Hotels Group in 2014. Marriott acquired Starwood in 2016 but did not discover the breach until 2018.

An ICO investigation has determined that Marriott failed to undertake sufficient due diligence when acquiring Starwood and to take more action to secure its systems post integration, according to Information Commissioner Elizabeth Denham.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," she said.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Marriott International and other EU data protection authorities will now have an opportunity to comment on the ICO's findings before the final penalty is decided on. Marriott has revealed plans to contest the fine.

Of the 339 million compromised records, around 30 million related to EU member states and 7 million to UK residents in particular.

Marriott has made improvements to its security posture since the breach was discovered, the ICO said. The hotel chain has stopped using the compromised Starwood reservation system altogether as a result of the completion of the company's post-merger integration work.

The ICO announcement came a day after the agency revealed it intends to fine British Airways £183.39 million ($329.5 million) in relation to a data breach affecting the private information of around 500,000 customers. This would be the largest penalty imposed under the GDPR to date.

Image credit: ©

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related News

Pitney Bowes hit by ransomware attack

Logistics and e-commerce technology company Pitney Bowes is working to restore services after a...

Thoma Bravo bids $5.6bn for Sophos

The board of UK-based security company Sophos will unanimously recommend a US$3.82bn takeover...

Proofpoint uncovers malware delivery service for hire

Security company Proofpoint has provided details of a staged malware downloader they are calling...

  • All content Copyright © 2019 Westwick-Farrow Pty Ltd