Marriott’s GDPR Fine – Lessons to be Learned

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018.  Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation (GDPR) in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.

As was widely reported, in November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, which the hotel chain later corrected to 383 million following a more complete investigation.  Still, 383 million records is nothing to be laughed at.

The hackers stole a breathtaking array of sensitive data:

  • 383 million guest records
  • 5 million encrypted passport numbers
  • 25 million unencrypted passport numbers
  • 1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

What went wrong? What can be distilled from Marriott’s experience that other companies can apply in their efforts to comply with the GDPR?

For JMBM’s Hotel Law Blog, I have outlined some important lessons learned, particularly for U.S. companies with business with Europe. To read the blog, see Cybersecurity Lawyer: Lessons from Marriott’s $123 million GDPR fine.

— Bob Braun


Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.