cybersecurityHospitality · 2020

Marriott International Inc.

Marriott International was fined for a data breach originating from a compromise of the Starwood Hotels reservation system that dated to 2014, remained undetected until 2018, and ultimately exposed approximately 339 million guest records worldwide including around 7 million UK residents. The ICO found Marriott failed to conduct adequate due diligence when it acquired Starwood in 2016 and failed to implement adequate security measures on the inherited systems post-acquisition. The fine was reduced from an initial notice of £99.2 million following co-operation with the investigation.

Fine Imposed€21.5M

Authority

ICO-UK

Regulation

UK General Data Protection Regulation + Data Protection Act 2018

Max fineHigher tier: £17.5M or 4% of global annual turnover; standard tier: £8.75M or 2%

Statusactive

Key Takeaways

M&A due diligence must include thorough assessment of target company cybersecurity posture — acquirers inherit data protection liabilities along with IT systems, and failure to secure inherited systems is an acquirer's own GDPR violation.