Britain’s data privacy watchdog has said it has fined US hotels group Marriott over a data breach affecting millions of customers worldwide.

The UK Information Commissioner’s Office said in a statement it fined Marriott £18.4 million ($23.5 million) for breaches of data that included personal information such as passport numbers since March 2018.

That was when new EU data protection rules, or GDPR, came into effect.

The final penalty is far less than a figure of around £100 million originally planned by the ICO.

The watchdog said it had taken into account “steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on their business before setting a final penalty”.

Since the breach occurred before Britain left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.

The ICO said Marriott’s breach in fact dated back to 2014, uncovering client data including passport numbers.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack six years ago on Starwood Hotels and Resorts Worldwide.

The ICO said the precise number of people affected remained unclear as there may have been multiple records for an individual guest.

It added that seven million guest records related to people in the UK.

“The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott,” the watchdog said.

“The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number,” it said.

Information Commissioner Elizabeth Denham said businesses are required to look after “precious” personal data belonging to clients.

“Millions of people’s data were affected by Marriott’s failure… When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect,” she said.