The United Kingdom’s data protection regulator plans to fine Marriott International $124 million for last year’s massive data breach involving 339 million guest records.
The data breach dates back to 2014, possibly even before Marriott acquired Starwood, but was not identified until 2018. The fine from the Information Commissioner’s Office (ICO) falls under the European Union’s General Data Protection Regulation and follows action against British Airways, who is facing a $229 million fine after suffering a cyberattack in September 2018, says a news report.
The Information Commissioner's Office (ICO) said, "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems," and its decision isn't final.
In a statement, Marriott said, "Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position." It also noted the Starwood guest reservation database that was attacked is no longer used for business operations.
Marriott International’s President and CEO, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”