Marriott Hotels fined £18.4m for data breach that hit millions

The UK’s data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.

The Information Commissioner’s Office (ICO) said names, contact information, and passport details may all have been compromised in a cyber-attack.

The breach included seven million guest records for people in the UK.

The ICO said the company failed to put appropriate safeguards in place but acknowledged it had improved.

The first part of the cyber-attack happened in 2014, affecting the Starwood Hotels group, which was acquired by Marriott two years later.

But until 2018, when the problem was first noticed, the attacker continued to have access to all affected systems, including:

• names
• email addresses
• phone numbers
• passport numbers
• arrival and departure information
• VIP status
• loyalty programme numbers

On that basis, the ICO said Marriott had failed to protect personal data as required by the General Data Protection Regulation (GDPR).