After the world’s largest hotel chain reservation system gets hacked our data protection team share the lessons that can be learnt.

Marriott International bought Starwood Hotels and Resorts Worldwide in 2016, creating the largest chain of hotels in the world with over 5,800 venues.

The breach reported that the data of up to 500 million individuals has been accessed following a hack of their reservation database. This data included names, addresses, email address, passport information, date of birth and gender, along with other data pertinent to the identification of the booker.

What will the consequences be?

This is now being investigated by the ICO, having only recently been reported, therefore it may be subject to the new General Data Protection Regulations. Consequently Marriott International could be facing a fine of up to £3.6billion.

However, Marriott have declared that this breach is a continuation of a hack which occurred back in 2014 and that they have only recently become aware of it. This would mean, as we have seen with Facebook, Equifax and others, that the investigation and report complied by the ICO would be done so in line with the old regulations as it predates the GDPR, therefore the maximum fine faced may well only be £500,000.

Learning from their mistakes

This is a further warning of the importance of staying on top of compliance and ensuring security of data.

It is also important to note that, if you have suffered a breach pre-2018 it still needs to be reported. The enforcement of the GDPR did not wipe clean a slate of breaches, allowing organisations to “start afresh”. Just because a breach happened prior to the GDPR being brought in to force does negate its impact, it only lessens the repercussions that may be issued by the ICO.

Reviewing compliance can be a relatively simple process, but it is something that does need to be done in order to avoid (potentially) hefty fines.

If you have questions about your organisation’s compliance under the GDPR, or would like assistance ensuring you are compliant, please contact Tom Chartres-Moore, an Associate in our IP/IT and Data Protection Team on 01392 210700 or email