Marriott Charged with $123m After Data Breach


Hotel industry giant, Marriott, faces charges amounting to £99 million (equivalent to $123 million). The hotel chain’s charges follow the data breach which compromised the information of up to 383 million customers.

The ICO fined the hotel giant under the General Data Protection Regulation (GDPR) after suffering a breach in 2018. According to Elizabeth Denham, U.K. Information Commissioner, “organizations must be accountable for the personal data they hold.” In a report published by Forbes, she further states that “organizations have a legal duty to ensure its security.”


CNBC notes that under the GDPR, the maximum fined reaches 4% of the company’s global turnover. The $123 million fine only accounts for 1.5% of the corporation’s turnover.

Marriott Charged with 3m After Data Breach

Accessed Information

The breach reportedly occurred in September of 2018. However, Forbes notes that the cyber attack only reached public ears come November.


The cyber attack affected the guest reservation database via unauthorized party access. The compromised information includes names of customers, phone numbers, email addresses, passport details, and payment information.

Based on the report published by the Marriott Group, hackers accessed 18.5 million encrypted passport numbers. In addition, unauthorized access showed access to 5.25 million unencrypted passport numbers. Moreover, the hackers also obtained 385,000 valid card numbers as well as 9.1 million payment card numbers.

Of these numbers, 7,000,000 live in the United Kingdom while 30,000,000 individuals living in the European Economic Area.

Proposed Fines

With numerous affected individuals living in the EEA, the Information Commissioner’s Office filed an intention to fine the hotel group. As reported by the ICO, the system vulnerability started when the Marriott group acquired the Starwood chain of hotels. The Starwood group allegedly experienced unauthorized access last 2014.

With the acquisition happening in 2016, the ICO states “Marriott failed to undertake sufficient due diligence when it bought Starwood.” However, as of writing, the hotel giant upgraded its security systems. In 2018, the Tech Crunch states that the corporation also removed the reservation database from its system.

Disappointing Move

Having cooperated with the authorities, Marriott feels “disappointed with this notice of intent from the ICO.” The company plans to contest the proposed fines.

Honouring the hotel company’s right to respond and protest, the ICO will consider the findings prior to making a decision.

Apart from the U.S. hotel group, the ICO also proposed a fine of £183 million ($229 million) towards British Airways. As reported by CNBC, the airline company compromised the data of 500,000 individuals.