Kristen Zanoni  |  November 2, 2020

Category: Data Breach

Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.

Marriott website - marriott gdpr fine

The Information Commissioner’s Office (ICO) has imposed an £18.4 million fine on Marriott International after millions of consumers had their private information accessed in a data breach. 

The Marriott General Data Protection Regulation (GDPR) fine follows the hotel giant’s 2014 data breach that affected 339 million customer records globally. The Marriott data breach went undiscovered until September 2018. Details on the cyberattack that sparked the £18 million Marriott GDPR fine are still fuzzy, as the attacker remains unknown, according to the ICO.

The Marriott data breach began in 2014 when an anonymous cyberattacker installed code onto one of Starwood Hotels’ systems. The code was discovered shortly after Marriott acquired Starwood in 2018.

The installation allowed the cybercriminal to access the information remotely, the ICO reported.

While the cyberattacker had access to the hotel’s system, malware was installed to capitalise on the data, according to the ICO. The cybercriminal had unrestricted remote access to important guest records. 

Furthermore, other tools were installed by the cybercriminal to collect other login details from other Starwood users.

With the use of additional login details, the hacker was able to access the reservation information storage for the hotel chain. The information was then exported to be exploited in any way the cybercriminal desired.

The Marriott data breach’s attacker accessed a wealth of information from guests’ records. According to the BBC, the cyberattacker obtained:

  • Arrival and departure details
  • Customer names
  • Email addresses
  • Marriott loyalty programme numbers
  • Passport details and numbers
  • Phone numbers 
  • VIP status information

Digital info "hacked" graphic - marriott gdpr fineAn ICO investigation into Marriott’s system found GDPR guidelines were not upheld.

The ICO says the exact number of hotel guests who had their personal details stolen is unknown, because there may have been several records for each guest. What is known, however, is that 7 million U.K. customer records were accessed in Marriott’s data breach, according to the ICO.

The ICO took action and imposed the Marriott GDPR fine when it was found that the hotel chain did not have proper safeguards in place to protect the personal details it acquires. As a hotel, Marriott is responsible for noting and keeping guest records, and part of that responsibility means keeping data that guests provide safe. 

The Marriott GDPR fine was initiated in July 2019, starting with a notice of intention filed by the ICO.

After the ICO investigated and considered the hotel chain’s follow-up actions and the financial effects of the pandemic, the ICO settled on its final fine amount.

The ICO admits Marriott acted quickly to report the incident to the agency and to contact all the affected guests. The ICO also acknowledges Marriott worked to alleviate the damage done to customers after the hotel chain quickly worked to ensure better system security.

The Marriott GDPR fine does not penalise the company from 2014, when the breach occurred, but rather from 25 May 2018 on, after new GDPR guidelines were in place.

The Marriott data breach occurred before the U.K. exited the European Union, so the ICO’s investigation into the attack was on behalf of European authorities. The Marriott GDPR fine has been approved by the EU.

While the punitive Marriott GDPR fine settled the ICO’s grievances with the company, affected customers who had their private information exploited have taken their own actions.

A Marriot data breach class action lawsuit has been launched for the hotel guests involved. 

Many of the millions affected in the Marriott data breach have filed claims in the open group action, being represented by law firms in the U.K. The terms of compensation will be determined in court.

Were you a Marriott hotel guest between 2014 and September 2018? Were you affected by the Marriott data breach? Share your thoughts about the Marriott GDPR fine in the comments section below.

Check back daily for the most recent U.K. class action lawsuit and consumer protection news.

We tell you about cash you can claim EVERY WEEK! Sign up for our free newsletter.

  • This field is for validation purposes and should be left unchanged.


Leave a Reply

Your email address will not be published. By submitting your comment and contact information, you agree to receive marketing emails from Top Class Actions regarding this and/or similar lawsuits or settlements, and/or to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify. Required fields are marked *

Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.