Marriott International has been fined £18.4 million for a security breach affecting millions of guest records dating back to 2014.
The Information Commissioner’s Office (ICO) had originally intended to fine the hotel company £99 million but took into account steps taken since by Marriott, representations from the company and the impact of COVID-19.
In addition, the fine only relates to the breach from March 25 2018, when GDPR regulations came into effect.
Marriott revealed that it had detected the breach just under two years ago, saying that it affected 500 million guest records.
At the time the company said customer names, addresses, phone number, email addresses, passport number and other personal information had been exposed.
It later revised the number of records affected to 383 million.
The investigation by the ICO concludes that Marriott failed to put technical and/or organizational measures in place to protect guest information.
Information Commissioner, Elizabeth Denham, says: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”
The ICO also says Marriott acted quickly to contact customers and to mitigate the risk of damage to customers.
In October, the ICO announced its final penalty of £20 million to British Airways following an initial announcement it would fine the airline £183 million.