Marriott: Potential for world’s first significant GDPR fine

The Starwood Hotel and Resort, which is part of the world’s largest hotel operator Marriott, came under intense scrutiny on Friday as it was revealed up to 500 million customers’ data had been part of a large-scale breach.

This breach could lead to the world’s first significant fine under the new General Data Protection Regulation (GDPR). Although the hotel giants are headquartered in the US, they would still fall under the European regulation.

This means that Marriott could be liable for up to 4% of their annual revenue, and due to the nature of the data breach including sensitive data, this could well be the case.

The hotel group experienced their strongest year to date in 2017, with a reported annual revenue of $22.9 billion – a fine of 4% would cause significant damage.

Not only does the organisation face a large fine, the distrust that will surely be associated with the brand could also cause further disruption to business. Marriott saw a maximum share price drop of just over 8% after the breach was revealed.

The data breach could go back as far as 2014, and up until September 10th of this year, this would also include any future bookings made.

Marriott have said they are beginning to notify all those affected by the breach via email, but cyber experts are warning people to ensure these emails are official and not to fall foul to phishing emails.

327 million customer records containing information including passport details, birthdates, addresses, phone numbers and email addresses were exposed, according to the company. The hackers also accessed payment card data for an undisclosed number of customers, the hotel giantsaid.

The breach maywell be the second largest on record, based upon number of people affected, behind Yahoo who in 2013 saw a breach which affected 3 billion user accounts.

GDPR.Report will be following the case closely in the coming days, as we are sure to see some major developments in the case.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.