ICO Fines Marriott International for the 2018 Data Breach

Written by Bill Toulas
Last updated July 10, 2019

The UK Information Commissioner’s Office (ICO) has published its intention to fine Marriott International with the amount of $123 million (£99 million), following last December’s breach that exposed 500 million of the hotel mogul’s customers. This announcement comes only a day after the $230 million fine that concerns the British Airways breach, so ICO is decisively dealing with last year’s security incidents that concern violations of the GDPR (General Data Protection Regulation).

The vast data breach that Marriott suffered between 2014 and 2018 affected 500 million customers of the Starwood chain, who are a subsidiary of Marriott. Anyone who has made a reservation at Starwood through their online platform has been compromised, and the list includes many high-profile British individuals working in the army, the government, and other key agencies. The breach was made with the intention of intelligence gathering, as the stolen information was not made available for sale on darknet forums. New York times quickly discovered that Marriott’s internal investigation findings pointed to Chinese hackers, possibly backed by the Chinese Ministry of State Security.

ICO deduced that Marriott failed to secure Starwood when they acquired the brand, so they essentially ignored the main GDPR requirement. As ICO’s Elizabeth Denham stated: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

The personal details that had been leaked because of this incident include guest names, email addresses, phone numbers, passport numbers, date of birth, credit card and payment data, and Starwood guest account information. When Marriott discovered who was behind the attacks, they asked for a $12.5 billion in compensation, corresponding to $25 per each compromised customer. Chinese officials never took responsibility for the incident, so no payment was ever approved and given to Marriott. While an entity like Marriott won’t be brought down to its knees by ICO’s fine, the case that is being made here is that companies cannot ignore GDPR anymore, and really have to start investing more in the security and protection of their customers’ data.

Do you think the fine of $123 million is fair for the Marriott breach case? Let us know of your opinion in the comments down below, or on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: