Marriott set to be fined more than £99 million over data breach

The world’s largest hotel group, Marriott International, is set to be fined more than £99 million by the UK’s data privacy regulator over a data breach.

The £99.2m penalty relates to a breach that exposed the records of more than 300 million customers. The incident, which saw an unauthorised party compromise the guest reservation database of the Starwood division, is thought to date back to 2014, but was only discovered last year.

The fine comes hot on the heels of an announcement by the Information Commissioner’s Office (ICO) that it plans to fine British Airways £183m over a separate data breach that saw hackers steal the personal data of half a million of the airline’s customers.

The size of both fines shows the increased powers of the watchdog following the introduction of the EU’s General Data Protection Regulation (GDPR) last year.

Arne Sorenson, president of Marriott International, said the company would contest the fine.

“We are disappointed with this notice of intent from the ICO, which we will contest,” he said. “Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

The data breach occurred within Starwood – a brand that Marriott acquired three years ago. The ICO said that Marriott should have done more to secure its data systems.

Information commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.

“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”