UK ICO Imposes £16.95 Million Penalty to Marriott for Data Breach Incident

Published on October 31, 2020
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

UK’s Information Commissioner’s Office (ICO) has published its decision to fine Marriott International £16.95 million (about $22 million) for GDPR and DPA violations that took place between May 25, 2018, and September 17, 2018. The hackers have actually remained in Marriott’s systems between 2014 and 2018, but the ICO only mentions the applicable period against the legal provisions.

Back in July 2019, the ICO decided to fine Marriott for that security incident £99 million ($128 million). The payment of this fine was repeatedly postponed, though, for unclear reasons - and as the time passed, we entered the turbulent 2020. The pandemic has hit Marriott severely, considering it is a hotel chain, so the ICO decided to go a lot more lenient, exactly like they did with British Airways earlier in the month.

However, the fine that was finally imposed on the firm is almost an insult to the people who had their sensitive information exposed for four years. The ICO investigation revealed that the number of affected people is 339 million. The hotel guests had their passport numbers, reservation details, credit card numbers, and more. All of that was valued for £0.05 each, and so the total amount reached roughly one-fifth of the original fine.

Related: ICO Announced Fine to British Airways and It’s Underwhelming

The ICO states that Marriott’s stance of willingness to cooperate with the data watchdog’s investigators won them a 20% discount and that the COVID-19 situation alone cut another £4 million. This sounds logical, but we must not overlook Marriott’s recent failure to protect customer data again, even after all that had happened previously.

In April 2020, Marriott announced yet another data breach that took place in January 2020. The hackers used employee credentials to access the sensitive details of 5.2 million hotel guests. ICO is still investigating that incident, so no fines have been decided for it yet. However, it is clear that they have not considered it for their 2018 fine decision.

As for the GDPR effect in the UK, the recent incident took place while the regulation was active, and the country was still a member of the EU. In general, it is expected that the Data Protection Act (DPA) rules will take effect after January 2021.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: