Starwood's systems were compromised as soon as 2014, but Marriott didn't disclose the breach until 2018 -- two years after it completed the takeover of Starwood. It's now estimated that about 339 million guests were exposed, 30 million of them in the European Economic Area and 7 million of them in the UK. Over 5 million unencrypted passport numbers were affected by the intrusion.
While the ICO said Marriott had cooperated with the investigation and improved its security since the breach, it's not going to fine the hotel giant without a fight. Marriott said in a statement that it was "disappointed" with the outcome and intended to "contest" the potential fine. It might not earn much sympathy from officials, though. The ICO has already signaled plans to fine British Airways $230 million for a data breach, and that was for a two-week period. It's not likely to go easy on Marriott when the company theoretically had years to detect and address a security concern.