Security Experts:

Connect with us

Hi, what are you looking for?



Britain Fines US Hotel Chain Marriott Over Data Breach

Britain’s data privacy watchdog on Friday said it has fined US hotels group Marriott over a data breach affecting millions of customers worldwide.

Britain’s data privacy watchdog on Friday said it has fined US hotels group Marriott over a data breach affecting millions of customers worldwide.

The UK Information Commissioner’s Office said in a statement it fined Marriott £18.4 million ($23.5 million, 20.1 million euros) for breaches of data that included personal information such as passport numbers since March 2018.

That was when new European Union data protection rules, or GDPR, came into effect.

The final penalty is far less than a figure of around £100 million originally planned by the ICO.

The watchdog said it had taken into account “steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty”.

Since the breach occurred before Britain left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.

The ICO said Marriott’s breach in fact dated back to 2014, uncovering client data including passport numbers.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack six years ago on Starwood Hotels and Resorts Worldwide.

The ICO said the precise number of people affected remained unclear as there may have been multiple records for an individual guest.

It added that seven million guest records related to people in the UK.

“The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott,” the watchdog said.

“The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number,” it said.

Information Commissioner Elizabeth Denham said businesses are required to look after “precious” personal data belonging to clients.

“Millions of people’s data were affected by Marriott’s failure… When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect,” she said.

Related: Chinese Government Suspected in Marriott Hack: Report

Related: Class Action Lawsuit Filed Against Marriott Over New Data Breach

Related: Data Breach Cost Marriott $28 Million So Far

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.