Marriott International to be fined £99m for data breach
Hotel chain Marriott is set to be fined more than £99m for a data breach that compromised the personal details of roughly 393m guests.
The Information Commissioner’s Office (ICO) today announced its intention to hand down the fine following an “extensive” investigation into the breach.
Read more: British Airways set for £189m fine for 2018 data breach
Marriott has said it will “vigorously” defend itself against the planned fine.
The breach is thought to have occurred after a 2014 cyber attack on the Starwood hotels group, which Marriott acquired in 2016. However, the breach was not discovered until November last year.
The ICO said Marriott failed to undertake sufficient due diligence when it bought Starwood, and argued the company should have done more to secure its systems.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott International president and chief executive Arne Sorenson.
“Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
The fine will be only the second penalty imposed under General Data Protection Regulation (GDPR), which was introduced last year.
On Monday the ICO issued a record £183m fine to British Airways for a cyber attack on the airline’s website last year.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset,” said information commissioner Elizabeth Denham.
“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Read more: Data breach could be ‘fatal’ for open banking sector
Matthew Holman, principal at law firm EMW, warned Marriott could suffer a second hit if customers seek compensation for the breach. British Airways is now facing a class action lawsuit from thousands of customers whose data was stolen.
“The recent fines are a clear message of intent to those business and all others: the ICO will levy crippling fines when personal data of individuals is lost, even if those individuals suffer no harm,” Holman said.
Main image credit: Getty