Marriott sets aside £104m just in case GDPR plea fails

Marriott International’s chief executive has talked a good game in the hotel giant’s battle to overturn – or at least slash – the proposed £99.2m penalty for breaching GDPR, but the firm has still set aside the cash… just in case.
According to the company’s latest results, Marriott has taken a $126m (£104m) charge over the incident, which began at subsidiary Starwood Hotels before Marriott even acquired the business.
Marriott self-reported the breach in November last year, which exposed about 339 million guest records globally. But it is the details of 30 million EU customers – 7 million who live in the UK – that the ICO is concerned about.
According to the regulator, the vulnerability began when the systems of the Starwood Hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
At the time, Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
To which Marriott International president and chief executive Arne Sorenson responded: “We are disappointed with this notice of intent from the ICO, which we will contest. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”