The UK’s ICO has reduced the size of a data breach penalty for hotel business Marriott — dropping it to £14.4 million (~$23.8M) in a final penalty notice down from the £99M ($123M) figure that the watchdog initially said it would levy in July 2019. The fine relates to a data breach suffered by the hotel giant that dates back to 2014 (involving the network of Starwood hotels, which it had acquired in 2015) — but which wasn’t discovered until November 2018. The personal data involved in the breach differed between individuals but the ICO said it may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. Globally, some 339 million guest records were affected but fewer individuals are thought to have been compromised owing to some of the records being duplicates.