By decision of 30 October 2020, the ICO (i.e., the UK data protection authority) issued an £18.4 million fine on Marriott International Inc for failing to comply with its GDPR security obligation.
This decision stems from a cyber attack on Starwood, a company acquired by Marriot in 2016, notified to the ICO in 2018. The ICO investigation traced the cyber-attack back to 2014. It concerned million of customers’ personal information, including among other their reservation details, payment card details, and passport number.