GDPR fines roll in: After BA, Marriott faces £99m fine over breach affecting 383 million

Credit: ID 101441168 © Vladimir Kolosov |

US hotel giant Marriott International could get a £99.2m (AU$178m) fine from the UK’s privacy watchdog over a multi-year breach of the reservation database of Starwood Hotels, which it acquired in 2016. 

Marriott discovered the breach on September 8, 2018 but waited until November 30 to disclose the incident, which gave attackers access to Marriott’s sibling brand’s Starwood database since 2014. The initial 500 million customers Marriott initially estimated to be affected was reduced to 383 million. 

While 9.1 million encrypted payment card numbers were copied by the attackers, the long-running breach gave them access to several hundred million customers’ sensitive personal information including copies of passports, dates of birth, and reservation dates.  

Marriott on Tuesday filed a report with the US Securities and Exchanges Commission (SEC) disclosing the UK Information Commission’s Office (ICO) proposed fine of £99,200,396 for violating Europe’s new General Data Protection Regulation (GDPR), which came into effect in May 2018. 

“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” said Marriott International’s President and CEO, Arne Sorenson.