Marriott owner facing huge GDPR breach fine

Marriott data breach
(Image credit: (Image credit:

The owner of the Marriott hotel chain is set to face a £99m fine following a data breach that left thousand of customer details exposed.

The fine from the UK's Information Commissioner's Office (ICO) comes after the personal data of approximately 339 million guest records globally were breachedd following a cyberattack.

The breach was referred to the ICO by Marriott in November 2018 as around 30 million of those customers affected were residents of 31 countries in the European Economic Area (EEA) - and seven million related to UK residents, meaning it fell under GDPR legislation.


The breach dates back to 2014, when Starwood hotels group was hit by an attack on its systems. Starwood was acquired by Marriott in 2016, but customer data continued to be leaked until the breach was discovered in 2018.

The ICO said that Marriott had fully co-operated in investigating the breach, and has since upped its security protections, but its investigation found that the company "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems."

"The GDPR makes it clear that organisations must be accountable for the personal data they hold," Information Commissioner Elizabeth Denham said. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

(Image credit:

(Image credit: (Image credit:

The news comes hours after British Airways was hit with a £138m fine following a data breach earlier this year which saw around half a million customer accounts being compromised.

“We knew GDPR had teeth. Now we can see how bad it can bite," Ilias Chantzos, Symantec's senior director government affairs EMEA commented.

"Yesterday’s £183m and today’s £99m fines have solidified GDPR as a very serious piece of legislation, and one that is putting an organisation’s cyber security challenges and budget into an entirely new context.

Make no mistake, the EU devised GDPR and regulation such as the NIS Directive to improve the standard of cyber putting crucial requirements in place to protect consumers, organisations and our critical infrastructure.”

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.