Skip to main content

The UK Information Commissioner’s Office (ICO) has fined Marriott International £18.4 million for failing to keep millions of customers’ personal data secure.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels & Resorts Worldwide.

The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

The precise number of people affected is unclear as there may have been multiple records for an individual guest.


Seven million guest records related to people in the UK.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information commissioner, Elizabeth Denham, said: “Personal data is precious, and businesses have to look after it.

“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from March 25th, 2018, when new rules under the GDPR came into effect.

Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.

The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

The ICO had previously mooted a fine of up to £99 million in relation to the incident.

Commenting on the decision, Marriott said it did not intend to appeal, but makes no admission of liability in relation to the decision or the underlying allegations.

A statement said: “Marriott deeply regrets the incident.

“Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognises.

“The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

Marriott suffered another huge data leak earlier this year, with some 5.2 million customer records compromised.