ICO fines Marriott International Inc £18.4 million

The ICO has today fined Marriott International Inc £18.4 million for GDPR infringements. This is a significantly lower fine than expected.

Edward Machin, a lawyer in Ropes & Gray’s Privacy, Data Protection and Cybersecurity team commented:

“The fine is less than half of the £50 million that Marriott had set aside in its recent accounts, less than one fifth of the £99 million penalty that the ICO originally proposed in July 2019, and amounts to 0.05p per guest record that was affected by the breach. Although an £18 million fine is no small matter, it could have been considerably worse for Marriott, given the alternative potential outcomes.”

“Today’s announcement concludes an enforcement chapter that the ICO will quickly want to forget. Marriott and British Airways, which recently received its own much-reduced penalty for a large data breach, strongly criticised the methodology used by the ICO to calculate their original fines – and the regulator appears to have accepted that its assessment was flawed in both cases.”

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott. The penalty only relates to the breach from 25 March 2018, and has been dealt with under the GDPR.

Seven million guest records that were breached related to people in the UK. The ICO, which acted as the Lead Authority in this case and sought approval for the fine by the other EU DPAs, found that Marriott’s data security measures were not appropriate.

The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.

See ICO News