Marriott's data breach deserves $124M fine, UK privacy watchdog says

The GDPR strikes again, in the wake of 339 million hotel guest records being exposed in a security incident.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
2 min read
Marriott International logo seen displayed on smart phone.

Marriott falls foul of GDPR.

Igor Golovniov/SOPA Images/LightRocket via Getty Images

In November 2018, the Marriott hotel group revealed it had been the victim of a four-year campaign by hackers to steal customer data from its reservations system. Now it's going to have to pay the price for failing to keep that data safe.

The Information Commissioner's Office, the UK's privacy watchdog, announced Tuesday that it intends to fine Marriott £99.2 million ($124M) over the security breach. It's issuing the fine in accordance with the General Data Protection Regulation, the far-reaching EU-wide privacy law introduced in May 2018.

Hackers breached the security systems of Starwood Hotels in 2014. Marriott bought Starwood in 2016, but didn't discover and then patch the breach until 2018. Personal data from 339 million guest records (30 million European citizens and 7 million UK citizens) was exposed in the incident.

Marriott CEO Arne Sorenson said in a statement that he was "deeply disappointed" with the decision by the Information Commissioner's Office and that he would contest it. "Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database," he said.

Watch this: GDPR: Here's what you need to know

Last year the EU overhauled its pre-internet data protection laws to make them fit for the internet age. Under the GDPR , member states are able to fine companies 20 million euros ($22.4 million) or 4% of their total annual worldwide revenue in the preceding financial year if they fail to comply with the new rules. The Marriott fine is the second GDPR-related fine the ICO has announced this week. On Monday, the watchdog announced its intention to fine British Airways £183.4 million ($230M) over a 2018 data breach.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham in a statement. "Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Marriott acknowledged that challenges and the disruptions they pose.

"We deeply regret this incident happened," said Sorenson. "We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."

What Disney's Star Wars land and hotel will look like

See all photos