ICO fine Marriott International more than £99 million for data breach

The Information Commissioner’s Office (ICO) has said it will be fining Marriott International £99,200,395 under GDPR for data breaches

The fine is due to an incident in November 2018, which Marriott notified the ICO about. Around 339 million guest records were exposed. Around 30 million contacts were from 31 countries in the European Economic Area, with seven million of those contacts of UK residents.

Elizabeth Denham, information commissioner at ICO said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

In response to the announcement of the ICO's intention to fine Marriot International, the hotel chain will now have the opportunity to present what the company has done to strengthen security.

This is the second GDPR-related fine this week. British Airways was fined £183,390,000 for compromising the personal data of 500,000 customers.

Getting to grips with the GDPR: A B2B marketer’s guide

This free comprehensive guide explains what the General Data Protection Regulation (GDPR) is, how this incoming data protection law will affect your organisation, and the practical steps to take to prepare for it.

Learn how to comply

Getting to grips with the GDPR: A B2B marketer’s guide