GDPR fines roll in: After BA, Marriott faces £99m fine over breach affecting 383 million

Credit: ID 101441168 © Vladimir Kolosov |

US hotel giant Marriott International could get a £99.2m (AU$178m) fine from the UK’s privacy watchdog over a multi-year breach of the reservation database of Starwood Hotels, which it acquired in 2016. 

Marriott discovered the breach on September 8, 2018 but waited until November 30 to disclose the incident, which gave attackers access to Marriott’s sibling brand’s Starwood database since 2014. The initial 500 million customers Marriott initially estimated to be affected was reduced to 383 million. 

While 9.1 million encrypted payment card numbers were copied by the attackers, the long-running breach gave them access to several hundred million customers’ sensitive personal information including copies of passports, dates of birth, and reservation dates.  

Marriott on Tuesday filed a report with the US Securities and Exchanges Commission (SEC) disclosing the UK Information Commission’s Office (ICO) proposed fine of £99,200,396 for violating Europe’s new General Data Protection Regulation (GDPR), which came into effect in May 2018. 

“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” said Marriott International’s President and CEO, Arne Sorenson. 

News of Marriott’s fine came a day after the ICO announced the largest ever GDPR fine of £183 million for British Airways (BA) over a 2018 website breach that affected 500,000 customers. BA plans on challenging the fine.    

Marriott Hotels also intends to challenge its fine, as is Google, which copped a €50m GDPR fine from France’s privacy watchdog due to its approach to consent on Android

The ICO today said that 30 million European residents were impacted by the Marriott breach, including seven million UK residents. The breach of Starwood’s reservation system occurred two years before Marriott acquired it in 2016. The ICO led the EU investigation into the Marriott breach on behalf of other EU member regulators. 

The ICO has ruled that Marriott failed to undertake “sufficient due diligence” when it bought Starwood and should have done more to bolster security. 

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” said ICO commissioner Elizabeth Denham.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.” 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags euMarriottBritish AirwaysGDPRdata breach

More about British AirwaysEUGoogleICOMarriott InternationalNewsSECSorenson

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts