The UK's data privacy watchdog has fined the Marriott Hotels chain £18.4m for a major data breach that may have affected up to 339 million guests.
The Information Commissioner's Office (ICO) said names, contact information, and passport details may all have been compromised in a cyber-attack.
The breach included seven million guest records for people in the UK.
The ICO said the company failed to put appropriate safeguards in place but acknowledged it had improved.
The first part of the cyber-attack happened in 2014, affecting the Starwood Hotels group, which was acquired by Marriott two years later.
But until 2018, when the problem was first noticed, the attacker continued to have access to all affected systems, including:
- email addresses
- phone numbers
- passport numbers
- arrival and departure information
- VIP status
- loyalty programme numbers
On that basis, the ICO said Marriott had failed to protect personal data as required by the General Data Protection Regulation (GDPR).
In some ways you can feel sorry for Marriott.
In all the boardroom discussions about the company's takeover of Starwood, I bet it never realised that a hacker was already lurking inside the valuable databases they were buying.
The cyber-criminals had been in the systems for years, and were effectively thrown into the merger deal without Marriott having a clue.
Herein lies the issue, though - it seems the larger hotel didn't check what it was buying.
The ICO report makes clear Marriott beefed up the security of Starwood's IT systems far too late and the hackers had free rein to move around, cherry-picking the data that would sell best on criminal forums.
The fine is nothing like the £99m the ICO planned to issue, but it's still a massive deterrent for future companies.
It may make executives planning their next big mergers look more carefully and cautiously at the databases they're about to acquire.
"Millions of people's data was affected by Marriott's failure," commissioner Elizabeth Denham said.
"Thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not."
Different types of data were exposed for different guests, and some of the estimated 339 million may have represented duplicate records for repeat guests, making an exact count impossible.
Despite imposing a fine, the ICO acknowledged that Marriott had acted quickly once it found the flaw, and had improved its systems since.
In a statement, Marriott wrote that it "deeply regrets the incident".
"Marriott remains committed to the privacy and security of its guests' information and continues to make significant investments in security measures for its systems.
"The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests," it said.