Marriott Hotels fined for breach of data security

The Marriott Hotels hospitality chain has been fined £18.4 million by the UK's data privacy watchdog.

According to the Information Commissioner's Office (ICO), the breach of data security may have affected up to 339 million guests, including seven million UK-based guest records.

The ICO has stated that the firm failed to put in place appropriate safeguards, putting at risk details including names, contact information and passport details.

The initial attack took place in 2014, affecting the Starwood Hotels group before it was acquired by Marriott two years later. However, the ICO has revealed that until 2018, when the problem was identified, the attacker continued to access affected systems.

While the ICO acknowledged that the group's data security has since improved, it stated that the Marriott had failed to protect personal data as required by the General Data Protection Regulation (GDPR).

"Millions of people's data was affected by Marriott's failure," said commissioner Elizabeth Denham. "Thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not."

The ICO has revealed that different types of data was accessed for each guest, and some of the estimated 339 million records accessed may have been duplicate records for guests visiting on more than one occasion. As a result, it is impossible for the firm to reveal an exact count.

In a statement, Marriott has revealed that is "deeply regrets the incident".

"Marriott remains committed to the privacy and security of its guests' information and continues to make significant investments in security measures for its systems." It said. "The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests."