Search Our Site

We have 3,783,550 registered online learners.
136 new learners so far today.

Marriott Hotels Facing £99m Fine After GDPR Data Breach

schedule 11th July 2019 by Virtual College in Virtual College Last updated on 12th July 2019

Marriott hotel GDPR fine

Why is Marriott facing this fine?

The Information Commissioner’s Office (ICO) has declared their intent to fine hospitality group Marriott International £99.2 million after a data breach reported in November 2018.

The penalty comes shortly after a record-breaking fine of £183 million was handed to British Airways on 8th July for a similar scandal where customer details were taken. Both instances demonstrate the new extensive powers granted to the ICO with regards to GDPR breaches, which can see the watchdog pursue fines of up to 4% of a company’s global annual revenue.

How did the security breach happen?

The personal details of around 339 million guests from 31 European countries were exposed in the massive cyberattack which is thought to have started as far back as 2014. Stolen data was made up of credit card details, names, dates of birth and passport number from customers, including 7 million from the UK.

An investigation from the ICO believes that the data breach originated with the Starwood hotels group whose systems were compromised in 2014. When Marriott acquired Starwood for £10.8 billion in 2016 and the two groups merged in 2018, Marriott took control of the data held by Starwood. The investigation claims that Marriott did not carry out sufficient checks on Starwood’s data operations, and ‘should have done more to secure its systems’.

What is GDPR?

On a basic level, the GDPR is designed as a direct replacement for the Data Protection Act, which was introduced in 1995 as a UK equivalent to the EU's 1995 Data Protection Directive.

Affecting all UK companies that collect or process personal information on EU citizens, the new laws are intended to help protect the privacy and rights of individual consumers, giving data subjects more clearly delineated rights regarding what data is held about them, how it can be used, and when it should be deleted.

Although the new law reduces the overall number of principles from eight to six, the revamped regulations will be much broader in scope than the existing ones, handing the consumer greater control over their own personal data, and imposing harsh penalties on organisations that fail to comply.

Still in the dark about GDPR? Click here and check out all of our GDPR resources.

How does GDPR effect the data breach?

Information Commissioner Elizabeth Denham had the following to say on the investigation’s findings:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

In light of the scandal and investigation, Marriott has improved its security on customer data files and the compromised data system has been dropped from Starwood operations. The hospitality group, one of the largest in the world, has also challenged the findings and will be appealing through representations to the ICO.

How has Marriott responded to the ICOs action?

Marriott’s president and CEO Arne Sorenson said in a press release: ‘We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident.’

‘We deeply regret this incident happened,’ he continued, ‘we take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.’.

The final decision will be taken by the ICO, with input from other data authorities throughout Europe.

At Virtual College, we understand the importance of GDPR, and the serious implications of a company not being compliant. Therefore, we offer comprehensive GDPR courses to businesses to help them avoid a similar situation.

GDPR offer banner


Related resources

Virtual College Logo

Author: Virtual College

The latest training news brought to you by Virtual College. We create innovative digital learning experiences that inspire people to develop the skills they need to thrive in their careers; enhancing and enriching the organisations they work in. For 24 years, we have been developing and supplying collaborative, customer-focused e-learning technology for organisations world-wide.

ISO 9001:2015
Crown Commercial Service Supplier
LPI Accredited Learning Technologies Provider


+44 (0)1943 605 976

Virtual College

Marsel House


West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.


We are in the process of moving to one Virtual College website. If you want to go back to a course, or start a course, bought from our old website then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.


You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.