Hotel group and Trump Turnberry owner Marriott fined over data breach
Hotel chain Marriott International has been fined £18.4 million over a data breach estimated to have affected around 339 million customers – and relating to its Starwood arm, whose properties include Trump Turnberry in Ayrshire.
The sum demanded by the Information Commissioner's Office (ICO) is reduced from the £99m initially announced in July last year, owing to the economic impact of Covid-19 and steps taken by the firm to mitigate the effects of the incident.
Marriott said it does not intend to appeal over the decision, but makes "no admission of liability in relation to the decision or the underlying allegations".
A cyber attack, from an unknown source, affected the systems of the Starwood hotels group in 2014 but was not detected until 2018, two years after Starwood was acquired by Marriott.
Starwood hotels also include London's Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly.
It is believed the personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number.
The exact number of people affected is unclear as there may have been multiple records for an individual guest, but around seven million records relate to people in the UK.
The ICO said its investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems.
Because the incident happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.
The data regulator said it acknowledges that Marriott acted promptly to contact customers and has since instigated measures to improve the security of its systems.
The hotel group said: "Marriott deeply regrets the incident [and] remains committed to the privacy and security of its guests' information and continues to make significant investments in security measures for its systems, as the ICO recognises.
"Marriott wants to reassure guests that the incident and the ICO's decision involved only Starwood's separate network, which is no longer in use."
A message from the Editor:
Thank you for reading this article. We're more reliant on your support than ever as the shift in consumer habits brought about by Coronavirus impacts our advertisers.
If you haven't already, please consider supporting our trusted, fact-checked journalism by taking out a digital subscription.
Want to join the conversation? Please or to comment on this article.