UK will fine Marriott for stealing data from Starwood customers

The chain estimates that the theft affected approximately 8.6 million numbers of payment cards

The Office of the Information Commissioner of the United Kingdom (ICO) has informed Marriott International that it intends to impose a penalty of 99.2 million pounds (110 million euros) on the hotel for breaching the European General Data Protection Regulation (GDPR).

The fine proposed by the United Kingdom is related to the cyber attack that was notified to the ICO by Marriott in November 2018, although the vulnerability of the system began in 2014. The US chain acquired Starwood in 2016, but the exposure of customer information It was not discovered until 2018.

In a statement, the British agency said that in its investigation it bought that Marriott «did not perform due diligence when it bought Starwood and should have done more to secure its systems,» although it acknowledges that the hotel chain has cooperated in the investigation.

The notification of the sanction follows the one made last Monday to British Airways (BA), belonging to the IAG holding, by the body that in this case poses a penalty of 183.39 million pounds (about 204.6 million euros) for the subtraction of customer data from the airline’s website in 2017.

«The GDPR makes it clear that organizations must be responsible for the personal data they have,» said Commissioner Elizabeth Denham, which includes «performing due diligence when making a corporate acquisition and establishing appropriate liability measures to assess not only what Personal data has been acquired, but also how they are protected. » «If that does not happen, we will not hesitate to take firm action when necessary to protect the rights of the public,» he added.


Following the notice of sanction, the president and CEO of Marriott International, Arne Sorenson, has expressed disappointment at the intention to sanction the chain and has advanced that it will challenge the fine.

Marriott has been cooperating with the ICO throughout its investigation of the incident and has ensured that the Starwood brand reservation database that was attacked is no longer used for commercial operations.

UK will fine Marriott for stealing data from Starwood customers

«We deeply regret that this incident has occurred. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott,» he said.


Marriott estimated at a maximum of 383 million the records affected by the theft of reservation data made by its customers in hotels of its Starwood brand, from the 500 million initially identified, of which 30 million belonged to the EU. And specifically, about seven million residents of the United Kingdom.

The hotel giant, which operates more than 30 brands and acquired Starwood two years ago, then calculated that the theft could have affected approximately 327 million of these customers. According to their own research, it is believed that the vulnerability began when Starwood hotel systems were compromised in 2014.

Marriott discovered at the end of November unauthorized access to Starwood databases since 2014, a year before it bought the brand, which was hacked for four years, after which an investigation was opened at least five in states of states United and in the United Kingdom.

After the internal investigation carried out, the group identified the theft of approximately 8.6 million payment card numbers, all of them encrypted, about 5.25 million passport numbers without encryption and approximately 20.3 million passport numbers. encrypted passport