Precedent corpus / ICO (United Kingdom)
Marriott International, Inc.
ICO (United Kingdom) case marriott-2020-10, decided 2020-10-30. EUR 21,000,000.
What the regulator decided
An attacker placed a web shell on a Starwood guest-reservations system in or around July 2014 and maintained undetected access through Marriott's 2016 acquisition until September 2018, exfiltrating up to 339 million guest records (including 7 million UK records); Marriott failed to implement appropriate security measures to protect the personal data and to assess the Starwood IT estate adequately on acquisition, breaching Article 5(1)(f) and Article 32 GDPR.
Primary source
Regulator-owned URL. Quote this in legal briefs and academic citations.
https://ico.org.uk/media2/migrated/2618524/marriott-international-inc-mpn-20201030.pdfConsentMark interpretation
Operator-readable note on how this case shapes the ConsentMark scanner narrative. Not a legal opinion; cites the primary source.
EUR amount approximate (round-trip from GBP 18.4M at the enforcement- date FX rate). The original notice of intent was GBP 99.2M; the pandemic-period discount and other mitigating factors reduced the final. Cite when the scanner narrative needs the precedent that acquisition due-diligence on the security posture of an acquired estate is a controller obligation, not just commercial good practice.
Verification trail
- Verified by
- donal
- Verified at
- 2026-05-27
- Review due
- 2026-11-27
Cite this case
Pick the format that matches where you are pasting. The methodology version is preserved in every variant so the citation stays verifiable after future methodology changes.
@misc{consentmark-precedent-ico-marriott-2020-10,
author = {{ConsentMark}},
year = {2020},
title = {ICO (United Kingdom) marriott-2020-10 - Marriott International, Inc.},
howpublished = {\url{https://www.consentmark.com/precedent/ico-marriott-2020-10}},
note = {ConsentMark methodology v1.3}
}ConsentMark. (2020, October 30). ICO (United Kingdom) marriott-2020-10 - Marriott International, Inc.. Methodology v1.3. https://www.consentmark.com/precedent/ico-marriott-2020-10[ICO (United Kingdom) marriott-2020-10 - Marriott International, Inc. - ConsentMark](https://www.consentmark.com/precedent/ico-marriott-2020-10)ICO (United Kingdom) marriott-2020-10 - Marriott International, Inc. - ConsentMark, 2020-10-30, methodology v1.3, https://www.consentmark.com/precedent/ico-marriott-2020-10