Skip to main content

Marriott Hotels hit with one of the largest GDPR fines to date

data protection
(Image credit: Image source: Shutterstock/Wright Studio)

Remember the Marriott Hotels data breach that affected more than 330 million customers? The Information Commissioner's Office (ICO), the UK data protection watchdog, has now confirmed the company will be penalised to the tune of $23.77 million as a result.

"Millions of people's data was affected by Marriott's failure," said commissioner Elizabeth Denham. "Thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not."

An important mitigating circumstance, which seems to have affected the extent of the fine, is the fact that Marriott moved quickly once it had spotted the breach, and has beefed up its security since.

As per a BBC report, Marriott Hotels claims it regrets the incident "deeply".

"Marriott remains committed to the privacy and security of its guests' information and continues to make significant investments in security measures for its systems. The ICO recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests," said the firm.

Back in 2016, Marriott acquired the Starwood hotel chain, not knowing that its systems had already been compromised and its data was already being syphoned off by cybercriminals. The bigger problem, however, is that Marriott took two years to spot the breach and patch the leaks.

Back when it was first spotted, speculation circulated that Chinese state-sponsored attackers were behind the breach, but the identity of the hackers has never been confirmed.