In its second statement of intent of the week, on 9 July 2019, the UK’s Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc (“Marriott”) £99.2m under the General Data Protection Regulation (“GDPR”) for a personal data breach that occurred in relation to the Starwood guest reservation database system.
The breach is believed to have started when Starwood hotels systems were affected by a cyber-attack in 2014. The breach was uncovered and notified to the ICO in November 2018, two years after Starwood’s acquisition by Marriott. Personal data contained in over 330 million guest records were exposed by the incident. About 30 million records related to individuals from over 30 countries in the European Economic Area (EEA). Around 7 million records related to individuals located in the UK.