Hotel giant Marriott faces a £99 million fine from the UK’s data protection watchdog for a security breach which exposed the personal details of up to 383 million guests.
In November, Marriott International admitted that data including credit card details, passport numbers and dates of birth had been stolen in a vast international hack of guest records.
The UK Information Commissioner’s Office has now issued a notice of its intention to fine the world’s third biggest hotel group more than £99.2 million (AU$178.4 million) for “infringements” of the General Data Protection Regulation.
It is the second time in two days the ICO has imposed enormous fines for data breaches, British Airways on Monday handed a £183 million fine following a data hack of half a million customer records.
Marriott has the right to respond before any final determination is made and a fine can be issued, and the company has declared its intention to “vigorously” defend its position. The ICO says it will carefully consider those representations before it takes its final decision.
Marriott International president and chief executive, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest.
“Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The issue is believed to have begun with a compromise of the Starwood hotels group systems back in 2014. Marriott acquired the group in 2016 but did not discover the breach until two years later.
The ICO said its investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Information commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.
“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Under British regulations, the ICO has the right to fine up to four percent of a company’s annual turnover. Given Marriott made about $3.6 billion in revenue during 2018, the ICO’s fine represents about three percent of the company’s global revenue.
A credit card stealing group known as Magecart is believed to have been behind the Starwood breach.