On July 9, 2019, the UK’s Information Commissioner Office (ICO) announced its intention to fine Marriott International Inc (Marriott) £99.2 million (approximately $162 million CAD) under the GDPR. The fine is a result of a major data breach reported by the hotel group in November 2018, which is thought to have affected over 350 million guests globally. Marriott will have an opportunity to make representations to the ICO before the ICO makes its final decision. 

The November 2018 data breach originated from Marriott’s acquisition of the Starwood hotels group’s reservation database (Starwood).  The Starwood database may have been compromised as early as 2014. However, Marriott acquired the reservation database in 2016 and did not discover the exposure of customer information until 2018.

The ICO found that Marriott failed to take reasonable steps to adequately secure the purchased database. The leaked information is thought to include customers’ names, passport numbers, credit card details and contact information. The compromised database was removed from use when the hotel chain discovered and reported the breach. 

The ICO’s announcement comes shortly after the ICO announced their intent to fine British Airways’ £183.39 million (~$299 million CAD), as previously reported by the E-TIPS® Newsletter here. The British Airways’ fine represents the largest fine ever levied under the GDPR. Beyond substantial fines, both British Airways and Marriott may be liable for damages following potential class action lawsuits.

Summary By: Sam Hargreaves


19 07 24

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.