The United Kingdom’s data protection regulator plans to fine Marriott $124 million (£99 million) for last year’s massive data breach involving around 339 million guest records.
The fine from the Information Commissioner’s Office (ICO) falls under the European Union’s General Data Protection Regulation and follows action against British Airways, announced earlier this week. The incident in question dates back to 2014, before Marriott bought Starwood, but wasn’t identified until 2018.
Following an investigation, the ICO found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” The ICO’s decision is not yet final, and Marriott said it intended to “respond and vigorously defend its position.”
“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” said Arne Sorenson, Marriott International’s president and CEO.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The data breach cost the company, pre-tax, a total of $28 million, but those expenses were offset by insurance recoveries of approximately $25 million and did not impact adjusted earnings, Marriott Chief Financial Officer Lenny Oberg noted during an April 26 earnings call with investors. Marriott said the Starwood data system targeted in the attack was “no longer used for business operations.”
The ICO has taken the lead on the case but has worked with other EU Member State data protection authorities. Of the 339 million guest records exposed in the attack, around 30 million related to residents of 31 countries in the European Economic Area, with 7 million tied to UK residents.