The British privacy watchdog has fined American hotel chain Marriott £ 18.4 million (over 20 million euros) for a data breach from 2014. The hotel chain has not made enough effort to protect guests’ data, the Information Commissioner’s concludes Office (ICO).
These are customers of the Starwood hotel chain, which was acquired by Marriott in 2016. The company included hotels under the W Hotels and Sheraton brands.
Marriot estimates that at least 339 million guests have fallen victim to the hack, but the actual number may be higher. When the hack came out in November 2018, initial estimates spoke of half a billion victims. Some of the victims may also have been counted twice.
Names, email addresses, telephone numbers and passport numbers, among other things, were stolen by the hacker or hackers. The data is sensitive and can, for example, be misused for identity fraud.
The amount of £ 18.4 million is considerably lower than the £ 99.2 million fine that ICO actually intended to impose.
ICO investigated the data breach on behalf of all European privacy regulators. Since May 2018, an umbrella privacy regulation has applied in the EU, which in the Netherlands is called the General Data Protection Regulation (GDPR).