Second biggest penalty
Marriott Hotels fined £18.4m for breach of privacy rules
Trump Turnberry signed a deal with Starwood
Hotel group Marriott International has been fined £18.4 million for breaches to the General Data Protection Regulation (GDPR) that affected millions of customers around the world.
A cyber attack, from an unknown source, affected the systems of the Starwood hotels group in 2014 but was not detected until 2018, two years after Starwood was acquired by Marriott.
The Trump Organisation signed a deal that year to manage Turnberry in Ayrshire as part of a franchise agreement with Starwood Hotels and Resorts.
The data breach is estimated to have affected around 339 million customers.
The penalty, imposed by the Information Commissioner’s Office (ICO), has been reduced from the £99m initially announced in July last year owing to the economic impact of Covid-19 and steps taken by the firm to mitigate the effects of the incident.
Marriott said it does not intend to appeal over the decision, but makes “no admission of liability in relation to the decision or the underlying allegations”.
The latest penalty follows the £20m fine issued to British Airways – both significant fines for the travel and leisure sector, and the largest fines issued by the ICO to date
In a statement Marriott said it “deeply regrets the incident” and that it “remains committed to the privacy and security of its guests’ information”.
It added: “Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.”