Home News Marriott International Slapped with $123 Mn GDPR Fine for 2014 Data Breach

Marriott International Slapped with $123 Mn GDPR Fine for 2014 Data Breach

November 5, 2020

Marriott International’s Data Breach Exposes Records of 5.2 Million Guests

The U.K.’s Information Commissioner’s Office (ICO) imposed £18.4 million ($23.92 million) fine on Marriott International Inc. for violating the GDPR guidelines. The data privacy regulator stated that Marriott has failed to protect the personal data of millions of its customers. Around 339 million guest records worldwide were affected after a cyberattack on Starwood Hotels and Resorts Worldwide Inc. in 2014, remained undetected until September 2018, by when the company had been acquired by Marriott.

Attack Background

In 2014, an unknown attacker installed a malware code in the Starwood systems to obtain access to the contents remotely. With unrestricted access to the infected device, attackers distributed malware to other devices on the network to steal customers’ sensitive information. The exposed information included names, email addresses, unencrypted passport numbers, phone numbers, arrival/departure information, guests’ VIP status, and loyalty program membership number.

Related Story: Four Biggest GDPR Fines of 2020

Violation Penalty

The ICO’s investigation found that Marriott failed to put appropriate security measures to protect its customers’ data being processed on its systems, as per the GDPR.

In July 2019, the ICO issued Marriott with a notice of intent to fine up to £99,200,396 ($123 million) for violating the data breach regulations. However, the regulator decreased the penalty amount considering the economic impact of COVID-19 on their business.

Information Commissioner, Elizabeth Denham said, “Personal data is precious, and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Related Story: Marriott International faces $123 million GDPR fine

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

MOST POPULAR

45% companies don’t have cybersecurity leader: Study

Nearly half of companies have suffered a data breach in the past year: Survey

Mobile messaging apps new hideout of Dark Web activities: Study

NSA hacking code lifted from a personal computer in U.S.: Kaspersky

Instagram data breach! 49 million users’ sensitive data exposed online

RECENT POSTS

Saudi Global CISO Summit

St. Louis Cybersecurity Conference

IT Security Insights 2025

Atlanta Cybersecurity Conference

CISO Perth

EVEN MORE NEWS