The U.K. data protection authority will hit Marriott with a £99 million ($123 million) fine for a breach that exposed the data of up to 383 million guests.
Last year the hotel company revealed that guests’ data was accessed, tied to a breach of the Starwood hotel guest reservation database. Of the 500 million guests impacted, around 327 million had information compromised that ranged from names to passport numbers to email addresses and Starwood account information. The company also stated that credit card data may have been compromised even though it had been encrypted.
The U.K.’s Information Commissioner’s Office (ICO) investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems,” according to Business Insider.
Marriott responded that “the company intends to respond and vigorously defend its position,” and that it “has the right to respond before any final determination is made and a fine can be issued by the ICO.”
“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott International’s president and CEO, Arne Sorenson, said in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Under the general data protection regulation (GDPR), the ICO can fine up to 4 percent of a company’s annual revenue. Marriott generated about $3.6 billion last year, so the ICO’s proposed fine is about 3 percent of the company’s global revenue.
This fine comes after ICO just imposed a record fine of $230 million on British Airways for a data breach that impacted about 500,000 customers over a three-week period between August and September 2018.