£18.4m fine for Marriott Hotels following data breach

The Information Commissioner’s Office (ICO), the UK’s independent privacy watchdog, has fined Marriott Hotels £18.4m after a data security breach left the personal data of hundreds of millions of customers worldwide exposed to hackers.

The breach occurred following a cyber-attack in 2014, on a company called Starwood Hotels and Resorts Worldwide Inc. However, it went undetected for four years, during which time the company was acquired by Marriott. This means that from 2014 to 2018, the unknown attacker had access to details including names, email addresses, phone numbers, passport ID numbers, and more.

Back in July, the ICO stated its intention to fine Marriott a staggering £99m, but this was later greatly reduced to the current figure of £18.4m due to Marriott’s swift action to rectify the situation following its identification of the breach, as well as the economic impact of COVID-19 on the hotel chain’s business.

Why was Mariott fined?

Under the General Data Protection Regulation (GDPR), companies are required to put certain organisational and technical measures in place to protect any personal data processed through their systems. Despite the fact that Starwood’s system was hacked prior to its merger with Marriott in 2016, the responsibility for customers’ personal data under the GDPR became Marriott’s as soon as the acquisition was complete.

In its report, the ICO stated that there were “multiple failures by Marriott to put in place appropriate technical or organisational measures to protect the personal data being processed on Marriott’s systems.” It also stated that Marriott had failed to adequately review Starwood’s data practices upon its acquisition, and that appropriate measures were not in place to allow for the identification of breaches, or to prevent further unauthorised activity once a breach had occurred.

Although the data breach dates back to 2014, the fine only applies to the period following 25 May 2018, when the GDPR came into force.

Not the biggest fine to date

The original £99m fine would have been one of the biggest GDPR fines ever issued, but its reduction to £18.4m means it can be beaten by some margin. In July, the ICO issued a statement of its intention to fine British Airways £183m for a data breach in 2018; this was later reduced to £20m, but still remains the largest fine issued by the ICO under the GDPR to date.

Across the channel, French data protection agency CNIL fined Google €50m for a lack of transparency, inadequate information and a lack of valid consent to process users’ personal data for ad personalisation purposes. This remains the highest fine issued so far under the GDPR.

How are fines calculated?

Article 83 of the GDPR sets out a two-tiered approach to imposing fines on offending businesses. The higher tier carries a potential fine of up to £20m or 4% of global annual turnover, whichever is higher. The lower tier carries a (still significant) fine of up to £10m, or 2% of annual global turnover, whichever is higher.

Higher tier sanctions are reserved for only the most serious GDPR infringements, such as:

  • Processing personal data in an illegitimate, fraudulent or corrupt way
  • Processing personal data without the user’s consent
  • Failing to provide a clear, easy-to-read version of the organisation’s privacy policy
  • Refusing to provide users with data held on them, or failing to delete, edit or review their data at their request
  • Failing to comply with an order issued by a GDPR officer.

Lower tier violations include:

  • Collecting information from a minor without parental consent
  • Failing to keep adequate records of data taken from users
  • Failing to inform the relevant authorities of a data breach within 72 hours
  • Failing to appoint a data protection officer
  • Hiding the involvement of third parties in a privacy policy
  • Storing data on a user once the reason to hold that data no longer exists.

These are just some examples of the GDPR breaches that may incur fines. For more information on the GDPR, or to enquire about GDPR rules in relation to your business, please contact our Corporate Commercial team at businesslaw@woodfines.co.uk.


  • This field is for validation purposes and should be left unchanged.