The Information Commissioner’s Office (ICO) has fined Marriott £18.4 million in relation to a 2014 cyber-attack on Starwood Hotels, which Marriott acquired in 2016.

The ICO had previously issued a notice of its intention to fine Marriott £99.2 million. The penalty notice does not explain why the final fine is considerably lower than this amount.

The data breach was only discovered in 2018, and the ICO has made clear that its decision relates solely to Marriott’s failures after 25 May 2018 (i.e. post-GDPR) despite the historic, pre-2018 nature of the cyber-attack.

The ICO identified four principal security failures which may be useful for organisations looking to understand the level of security measures that the regulator expects to be in place.

Further detail, including discussion of the due diligence that a buyer should undertake on an M&A transaction, can be found in this post on our Data blog.