Marriott International
Issued by Information Commissioner's Office (ICO) on 2020-10-30
What happened
The ICO fined Marriott £18.4 million (approx. €20.4M) following a cyber attack on Starwood guest reservation systems that exposed approximately 339 million guest records worldwide. The breach originated in 2014 (pre-GDPR) at Starwood Hotels, which Marriott acquired in 2016. Marriott failed to conduct sufficient due diligence during the acquisition and did not adequately secure the inherited systems.
Articles violated
Lessons learned
M&A due diligence must include thorough cybersecurity assessments of target company systems. Acquiring companies inherit the data protection responsibilities of acquired entities. Legacy systems must be promptly reviewed and secured after acquisitions. Regular penetration testing and security audits are essential.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Hospitality
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.