Marriott fine slashed from £100m to £18m for huge data breach

James Cook
·2 min read
A Marriott hotel in California - AP
A Marriott hotel in California - AP

The Marriott hotel group has been fined £18.4m by the Information Commissioner’s Office (ICO) over a 2014 hack which saw records of 339 million guests stolen by hackers.

The fine is a significant reduction from the initial £99.2m fine that the ICO announced last year.

Hackers broke into the database of Starwood Hotels in 2014 and stole information including email addresses, phone numbers, passport information and loyalty programme numbers of guests. Seven million records in the breach related to people from the UK, the ICO has said.

Marriott bought the Starwood group in 2016 and the breach was only discovered in 2018, four years after the hackers had accessed the systems.

The fine only covers the period from 25 March 2018 when new GDPR rules came into effect. The ICO reduced the final fine because of the steps the company took to deal with the incident as well as the impact of the coronavirus pandemic on the business.

Elizabeth Denham, the Information Commissioner, said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

“When a business fails to look after customers’ data,” she continued, “the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Kate Bevan, Which? computing editor, said "it's positive to see the Information Commissioner's Office showing its teeth and sending a clear message to companies that it is unacceptable to play fast and loose with people’s personal data."

"Some people will be frustrated if they’ve suffered financially and emotionally from this data breach but had no redress," she added.

The reduction in the final fine for Marriott comes after the ICO also reduced the fine it required British Airways to pay over a data breach.

The airline was given a final fine of £20m earlier this month for a 2018 data breach which saw the personal information of 400,000 customers leaked online.

The ICO initially announced that it planned to fine BA £183m over the incident.

Telegraph Tech 100 2020: see the full list
Telegraph Tech 100 2020: see the full list