UK Regulator Readies $123M Fine For Marriott Over GDPR Violations

The U.K. data protection authority will hit Marriott with a £99 million ($123 million) fine for a breach that exposed the data of up to 383 million guests.

Last year the hotel company revealed that guests’ data was accessed, tied to a breach of the Starwood hotel guest reservation database. Of the 500 million guests impacted, around 327 million had information compromised that ranged from names to passport numbers to email addresses and Starwood account information. The company also stated that credit card data may have been compromised even though it had been encrypted.

The U.K.’s Information Commissioner’s Office (ICO) investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems,” according to Business Insider.

Marriott responded that “the company intends to respond and vigorously defend its position,” and that it “has the right to respond before any final determination is made and a fine can be issued by the ICO.”

“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott International’s president and CEO, Arne Sorenson, said in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

Under the general data protection regulation (GDPR), the ICO can fine up to 4 percent of a company’s annual revenue. Marriott generated about $3.6 billion last year, so the ICO’s proposed fine is about 3 percent of the company’s global revenue.

This fine comes after ICO just imposed a record fine of $230 million on British Airways for a data breach that impacted about 500,000 customers over a three-week period between August and September 2018.



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.