Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time Starwood had been acquired by Marriott.

The personal data affected differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect. To read the ICO’s press release in full and for a link to the Monetary Penalty Notice, click here.