The ICO fined Marriott International £18.4 million following a data breach that began in 2014 and ran through 2018. The breach originated in the reservation systems of Starwood Hotels prior to Marriott's acquisition of Starwood in 2016. Approximately 339 million guest records worldwide were affected, including 7 million UK residents.
Marriott International — GDPR Fine (£18.4M)
What Went Wrong
The breach originated in Starwood's systems before Marriott acquired the company. Marriott failed to conduct adequate security due diligence of Starwood's IT systems during acquisition. The attacker had persistent access to Starwood's reservation system for 4 years before detection.
Lessons Learned
M&A cybersecurity due diligence is critical. Inheriting an acquisition means inheriting their security vulnerabilities. Security assessments including penetration testing should be conducted before and after major acquisitions. Post-acquisition security integration timelines must be aggressive.
Source:
Official Enforcement Record ↗