Marriott International has been handed an £18.4m fine by the UK data watchdog over a data breach that compromised the personal details of millions of customers.
The fine relates to an attack on the Starwood hotels chain that exposed records belonging to 339m guests worldwide.
The cyber attack began in 2014, before Marriott took over the chain, but went undetected until September 2018.
Names, email addresses, phone numbers and passport details were among the data impacted by the breach.
The Information Commissioner’s Office (ICO) today said Marriott had failed to put appropriate measures in place to protect customer data.
While the cyber attack dates back to 2014, the fine only applies to the breach from May 2018, when new GDPR laws came into force.
“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” said information commissioner Elizabeth Denham.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The £18.4m fine is significantly lower than the £99m penalty originally proposed by the ICO. The data watchdog said it had considered the steps Marriott took to mitigate the incident and the impact of Covid-19 on its businesses before setting the final amount.
The company is also facing a group legal action in London on behalf of millions of customers in England and Wales who were affected by the breach.
The hotel chain said it did not intend to appeal the decision, but made no admission of liability relating to the decision or underlying allegations.
It comes after the ICO fined British Airways £20m for a 2018 data breach that affected more than 400,000 customers.
The two fines are the largest to be handed down by the watchdog for failures to properly protect customer data.
“Given the dramatic fall in revenue that the travel and leisure sector has experienced during the coronavirus pandemic, these fines send a very powerful message to organisations that they must invest in keeping their customers’ data secure,” said Chris Combemale, chief executive of the Data & Marketing Association.
“Otherwise they will face penalties that could prove far more costly to the business.”