Marriott £18.4 Million ICO Fine, 2020 Starwood Breach Decision Explained

DECISION SUMMARY

What happened

On 30 October 2020, the UK Information Commissioner's Office issued a Monetary Penalty Notice to Marriott International Inc imposing a fine of £18.4 million in respect of the data breach affecting the Starwood Hotels and Resorts guest reservation database. The breach is one of the largest in history by record count, with up to 339 million records exposed, including approximately 30 million records relating to residents of European Economic Area Member States, and approximately 7 million records relating to UK residents.

The breach predates Marriott's acquisition of Starwood. An attacker compromised the Starwood reservation database in November 2014 and retained access for approximately four years before detection in September 2018. Marriott International acquired Starwood Hotels and Resorts Worldwide Inc on 23 September 2016, integrating the Starwood guest database into the broader Marriott data environment. The undetected attacker access continued through the integration and into the post-GDPR period (after 25 May 2018), exfiltrating personal data and payment-card data over the four-year window.

Detection occurred in September 2018 when Accenture, a Marriott security contractor, identified anomalous query activity in the Starwood reservation database. Marriott notified the ICO on 22 November 2018 and publicly disclosed the breach on 30 November 2018. The ICO opened a formal investigation focused on Marriott's post-acquisition responsibility for the security of the acquired environment. On 9 July 2019, the ICO issued a Notice of Intent to fine Marriott £99.2 million. After representations, the final fine of £18.4 million was issued in October 2020.

What the ICO found

The ICO's legal analysis is anchored in two propositions. First, Marriott became responsible for the security of the Starwood reservation database from the date of acquisition (September 2016). The undetected breach predated the acquisition but continued throughout the post-acquisition period. Article 32 GDPR imposes an obligation on the controller to ensure appropriate security measures on a continuing basis; failure to detect a multi-year breach is itself an Article 32 failure. Second, the GDPR applied only from 25 May 2018, so the fine relates only to the post-25 May 2018 portion of the continuing breach (approximately three to four months of additional exfiltration before detection in September 2018). The pre-25 May 2018 period of the breach was outside the GDPR's temporal scope, although the historical context was relevant to assessing Marriott's post-acquisition response.

The specific Article 32 failures identified include: inadequate monitoring of privileged-user activity in the Starwood database environment (the attacker operated for years without detection); insufficient encryption of personal data at rest in the reservation database (although some categories were encrypted, others were not, and key-management practices were considered inadequate); insufficient log review and audit of database queries; and a failure to integrate the Starwood environment into Marriott's existing security monitoring stack on a timely basis after the acquisition. The combined effect was that an attacker with persistent access could exfiltrate data without triggering alerts.

The due-diligence-on-acquisition theme

The most-cited paragraphs of the Marriott decision address Marriott's pre-acquisition due-diligence. The ICO found that the data-protection due-diligence Marriott conducted on the Starwood environment was not appropriately scoped given the scale and sensitivity of the personal data processed. The decision does not require an acquirer to identify every possible security weakness in an acquired environment; it does require the acquirer to conduct a documented, risk-proportionate assessment of the acquired entity's data-protection posture, to identify material gaps, and to plan and execute remediation in the integration phase.

For practitioners, the operational implication is that data-protection due-diligence cannot be treated as a paper-only exercise of reviewing the acquired entity's privacy notices and data-protection-officer summary. It must include independent technical assessment of the security architecture of environments holding material categories of personal data, with sufficient depth to identify weaknesses that the acquired entity may not have surfaced or may not have appreciated. For acquirers, the cost of this due-diligence is a small fraction of the potential liability transferred by an inadequate review.

The 81% reduction

The reduction from the £99.2 million Notice of Intent to the £18.4 million final fine tracks the same pattern as the British Airways case decided two weeks earlier. Marriott's representations addressed the temporal apportionment (the GDPR-applicable period was a small subset of the four-year breach window), the cooperation provided to the ICO, the remediation work undertaken, and the financial impact of the COVID-19 pandemic on Marriott's 2020 trading position. The ICO accepted the representations in part and arrived at the reduced figure.

The combined effect of the BA (89% reduction) and Marriott (81% reduction) decisions of October 2020 was to set a pattern under which the gap between Notices of Intent and final ICO fines could be large where representations were substantive. Subsequent ICO decisions have shown smaller reductions where representations have been less effective, but the structural availability of the Notice-of-Intent representation period remains a meaningful procedural feature for controllers facing UK GDPR enforcement.

Why the case matters

For M&A teams, the Marriott case is the canonical reference on data-protection due-diligence in acquisitions involving large personal-data holdings. For CISOs, the case sits alongside the British Airways decision as the leading UK Article 32 authority. For boards, the case is a reminder that historical breaches inherited through acquisition do not absolve the acquirer of responsibility: continuing breaches in the post-acquisition, post-GDPR period are squarely within the acquirer's liability. The integration window is the point at which the acquirer must remediate identified weaknesses; failure to do so within a reasonable period exposes the acquirer to the full Article 32 fine framework.