Marriott received an £18.4 million fine for a data breach — £0.05 per each of 339 million hotel guests
Marriott’s data breach regarded its subsidiary — Starwood hotels, bought by Marriott back in 2016. Back in 2014, hackers gained access to Starwood’s network and in the following years, they managed to create a database without anyone’s knowledge. In 2018, the hackers’ presence was revealed when the system was checked for suspicious database operations. Not only was the system’s security hacked, but in-memory malware was also found in payment terminals across 8 hotels located outside the European Economic Area. All in all, booking data of 339 million hotel guests was acquired by third parties: from the name, email address, and passport number to date of birth, and reservation date. Hackers also gained access to encrypted card numbers of 9.1 million guests. Marriott’s fine was initially predicted to be higher than the final £18.4 million, but as the company cooperated with Information Commissioner's Office (ICO) investigators and notified customers about the data breach, it was significantly lowered. ICO is “the UK's independent authority set up to uphold information rights in the public interest”, and handles the UK’s data breach cases. The ongoing pandemic, which deeply affected the entire tourism industry, also impacted the ICO’s decision to punish Marriott less severely than previously intended.