LONDON – Britain’s data privacy watchdog said it has fined US hotels group Marriott over a data breach affecting millions of customers worldwide.
The UK Information Commissioner’s Office said in a statement it fined Marriott £18.4-million for breaches of data that included personal information such as passport numbers since March 2018.
That was when new European Union data protection rules, or GDPR, came into effect.
READ: Marriott says hack was smaller but hit 5.25 mn passports
The final penalty is far less than a figure of around £100 million originally planned by the ICO.
The watchdog said it had taken into account “steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty”.
Since the breach occurred before Britain left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.
READ: Marriott says up to 500 million guests affected by hack
The ICO said Marriott’s breach in fact dated back to 2014, uncovering client data including passport numbers.
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack six years ago on Starwood Hotels and Resorts Worldwide.
The ICO said the precise number of people affected remained unclear as there may have been multiple records for an individual guest.
It added that seven million guest records related to people in the UK.