Marriott International, Inc – €20,450,000 Fine (United Kingdom, 2020)

Original Summary: The ICO issued a notice of its intention to fine Marriott International Inc due to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. --> Update: On 2020/10/30, the ICO announced its final decision to impose a fine of £ 18.4 million (approximately EUR 20.4 million) on Marriott International Inc. In its decision, the ICO set forth its considerations for the calculation of the fine, which included Marriott's absence of prior violations or omissions and the fact that Marriott had fully cooperated with the investigation and had taken steps to notify the individuals concerned. In addition, the ICO noted that it had also made an alignment with other fines already imposed on other companies - in particular also of other European data protection authorities.