ICO plans to fine Marriott £99 million

Man walking through hotel lobby with suitcase and looking at his phone
Share on facebook
Share on twitter
Share on linkedin

The Marriott data hack is one of the most serious data breaches of its kind. The breach put the personal data of 339 million customers at risk. And, the Information Commissioner’s Office (ICO) has announced that it plans to fine the US hotel group £99.2 million.

In a statement, the Information Commissioner Elizabeth Denham said:

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

This announcement came a day after the UK’s data privacy regulator said that it planned to fine British Airways £183m over a separate breach.

These huge fines reflect changes in data protection law since the General Data Protection Regulation (GDPR) came into force.

However, while the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach. So, if your data was put at risk by Marriott you should now make a data breach compensation claim.

What happened in the Marriott data breach?


On September 8, 2018, Marriott became aware that hackers had managed to access its Starwood guest reservation database. However, when investigating the breach, it was uncovered that cybercriminals had enjoyed access to this database since 2014.

During this time the hackers accessed, copied and removed the private data of millions of customers. The stolen data includes information such as passport numbers, emails, dates of birth, gender and mailing addresses, and in some cases reservation dates. Marriott also said that it was not able to rule out whether credit card information was exposed.

This theft of personal and financial information could lead to identity and financial fraud which has the potential to turn a person’s life upside down.

What did Marriott do wrong?


The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

What happens now?


Marriott is now taking the opportunity to make representations to the ICO as to the proposed findings and sanction. Or, in other words, it is appealing the proposed fine.

The ICO will consider carefully the representations made by Marriott, and the other concerned data protection authorities before it makes a final decision.

What can you do if you were affected by the Marriott data breach?


We have launched a group action against Marriott for this privacy infringement. The action allows people with the same type of claim to bring it together on a collective basis. This strengthens their overall position and increases their chances of success.

The Marriott data breach was able to happen as the company failed to implement reasonable and robust security processes. So, claiming compensation isn’t just in your best interests, the only way organisations will be persuaded to take their responsibilities seriously is by taking strong and decisive action.

To join our Marriott group action data breach action claim, register with us today. We can help you claim compensation for financial losses, as well as for inconvenience and distress.

We can take on your claim on a no-win, no-fee basis.

Contact Keller Lenkner UK’s expert data breach lawyers to discuss the Marriott  data breach.

Share this article:

Share on facebook
Share on twitter
Share on linkedin