Marriott’s fine for the 2014 data breach at Starwood Hotels & Resorts, which Marriott later acquired, was fixed at £18.4 million yesterday by the Information Commissioners Office.
Like the British Airways data breach fine which was fixed at £20 million two weeks ago, this is substantially lower than the £99 million fine that the ICO first threatened.
Whilst the breach began in 2014, two years before Marriott purchased the company, the ICO noted that Marriott failed to spot it until 2018.
339 million data records globally were stolen, containing some or all of:
- email addresses
- phone numbers
- passport numbers
- arrival and departure information
- loyalty programme number
Marriott isn’t off the hook yet. Similar penalties are likely to be imposed in other jurisdictions around the world.