Connect with us

Hi, what are you looking for?


Data Protection

Marriott to Contest $124 Million Fine Imposed by UK Data Protection Regulator

Marriott International says it will fight a large fine resulting from a massive data breach that was discovered in 2018.

Marriott International says it will fight a large fine resulting from a massive data breach that was discovered in 2018.

Following the July 8 statement of intention to fine British Airways £183 million, The UK Information Commissioner’s Office (ICO, the UK data protection regulator) announced on July 9 that it also intends to fine Marriott International £99,200,396 million (just over $123.5 million). This should be a wake-up call to all companies of any nationality that expose the data of European citizens.

Marriott President and CEO Arne Sorenson said the company will fight the fine. “We are disappointed with this notice of intent from the ICO, which we will contest,” Sorenson said in a statement.

Marriott disclosed a breach ‘involving the Starwood guest reservation database’ and reported the incident to the ICO in November 2018. 

Marriott International is the world’s third largest hotel chain, with just under 6,000 hotels in around 110 countries. It was founded in 1927 by John Willard Marriott, and is now headed by his son Bill Marriott. It is headquartered in Bethesda, Washington DC.

According to the ICO statement of intent, “It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.”

Personal data from approximately 339 million guest records were exposed. Thirty million of these related to residents of 31 countries in the European Economic Area (EEA), with 7 million in the UK — bringing the breach within the jurisdiction of the EU’s General Data Protection Regulation (GDPR).

The ICO found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

Advertisement. Scroll to continue reading.

Information Commissioner Elizabeth Denham commented, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” She added that if companies do not protect personal data, “we will not hesitate to take strong action when necessary to protect the rights of the public.”

“This is a very strong indication that the ICO, the UK’s GDPR Supervisory Authority is now prepared to play hard ball with organizations who they consider have demonstrably failed to protect EU citizen data under their stewardship. GDPR just got real in the UK,” warns Matt Walmsley, Head of EMEA Marketing at Vectra.

Chris Kennedy, CISO at AttackIQ, warns that GDPR is changing the cost landscape for a breach. “the frequency and cost of suffering a breach both continue to rise, especially for businesses that expose EU citizens’ data. Companies must now factor in the cost of fines under GDPR and CCPA, the costs of reparations for customers exposed, and litigations that could very well be in the hundreds of millions.”

Matt Middleton-Leal, general manager for EMEA & APAC at Netwrix, added that the fine “heralds a new era of greater regulatory power. Watchdogs’ barks may once have been considered worse than their bite, but this is no longer the case since the introduction of GDPR.”

This is the first major GDPR breach fine on an international company that is not fundamentally European. The French regulator, CNIL, fined Google £50 million— but that was over non-GDPR-compliant procedures rather than a breach and loss of personal data.

The ICO led the investigations into both the BA and Marriott incidents under GDPR’s ‘one-stop-shop’ procedure. This allows one national regulator to handle the process for the whole of the European Union. The UK has probably Europe’s best-resourced data protection office, and will likely take the lead in many major investigations. The size of these two fines demonstrates to other European nations that the UK can be trusted not to be soft on GDPR.

However, the apparent disparity between the BA fine (£183 million for compromising 500,000 customers) and the Marriott fine (£99 million for compromising 30 million EEA residents) could give BA some hope for its appeal. GDPR fines are not related purely to victim numbers, but include many other factors around the security posture and behavior of the company concerned. We are not currently privy to the details behind the ICO’s decisions, but these may become clear if either company proceeds to appeal. Those details will be as educational to other companies within the GDPR jurisdiction as are the size of the fines.

“After much discussion around the lack of substantial GDPR enforcement,” suggests Rick Holland, CISO and VP of strategy at Digital Shadows, “we are starting to see hefty fines for the exposure of European citizen’s personal data. The penalties should highlight to global businesses, that it is naïve to ignore GDPR. It is truly global, not just European. Furthermore, multinational companies that thought that the global social media brands would exclusively be targeted were wrong.”

Related: British Airways Faces $230 Million Fine for 2018 Breach 

Related: French Consumer Group Launches Class Action Against Google 

Related: GDPR Complaints Filed Against Eight International Streaming Companies 

Related: Ireland’s Data Protection Commission Reports Multiple GDPR Investigations

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.