Marriott set to be fined more than £99m over data breach

News /  / 
The records of 300 million Marriott customers have been involved in a data breach The records of 300 million Marriott customers have been involved in a data breach

The world’s largest hotel group, Marriott International, is set to be fined more than £99 million by the UK’s data privacy regulator over a data breach.

The £99.2m penalty relates to a breach that exposed the records of more than 300 million customers. The incident, which saw an unauthorised party compromise the guest reservation database of the Starwood division, is thought to date back to 2014, but was only discovered last year.

The fine comes hot on the heels of an announcement by the Information Commissioner’s Office (ICO) that it plans to fine British Airways £183m over a separate data breach that saw hackers steal the personal data of half a million of the airline’s customers.

The size of both fines shows the increased powers of the watchdog following the introduction of the EU’s General Data Protection Regulation (GDPR) last year.

Arne Sorenson, president of Marriott International, said the company would contest the fine.

“We are disappointed with this notice of intent from the ICO, which we will contest,” he said. “Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

The data breach occurred within Starwood – a brand that Marriott acquired three years ago. The ICO said that Marriott should have done more to secure its data systems.

Information commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.

“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

James Lancaster
Written By
James Lancaster

AMI editor James Lancaster is a familiar face in the meetings industry and international association community. Since joining AMI in 2010, he has gained a reputation for asking difficult questions and getting lost in convention centres. Proofer, podcaster, and panellist - in his spare time, James likes to walk, read, listen to music, and drink beer.

Latest Magazine

AMI November 2022 Covershot
Soaraway Inflation
How to plan your next meeting
Read More