Marriott International has been fined £18.4m by the Information Commissioner’s Office (ICO) for a breach of the General Data Protection Regulation (GDPR) in failing to protect the personal data of millions of its customers.

The hospitality giant may feel unfairly punished by the fine – because the company itself was not responsible for the breach – but has said it does not intend to appeal the decision.

A cyber-attack on Starwood Hotels and Resorts Worldwide in 2014 is estimated by Marriott to have left the records of 339m worldwide guests vulnerable. Marriott acquired Starwood two years after the breach. The attack remained undetected until September 2018 and was reported in November 2018.

The true number of guests affected is unclear because some guests may have had multiple records. 7m of the records related to people in the UK.

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” said Elizabeth Denham, Information Commissioner.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Marriott said it regrets the incident but makes no admission of liability. It also stated that it continues to be committed to the privacy and security of its guests’ information and has reassured guests that Starwood’s network is no longer in use.

The ICO has acknowledged the work that Marriott has done to mitigate the risk of damage suffered by its customers and the measures it has put in place to improve security.

The fine comes just two weeks after the ICO hit British Airways with a £20m fine for a failure to protect the personal and financial details of more than 400,000 customers.

“Within just two weeks, the ICO has now issued a fine of £20m to British Airways and £18.4m to Marriott. These are the two highest confirmed fines in the history of the ICO in response to significant data security failures by both organisations,” said Chris Combemale, CEO of the Data & Marketing Association. “Given the dramatic fall in revenue that the travel and leisure sector has experienced during the coronavirus pandemic, these fines send a very powerful message to organisations that they must invest in keeping their customers’ data secure. Otherwise they will face penalties that could prove far more costly to the business.”