Marriott International Inc. on July 9, 2019, revealed that the UK Information Commissioner's Office (ICO) had proposed to fine the hotel chain $124 million due to a massive data breach in its Starwood hotels reservation system.
Marriott disclosed last year that the acquired Starwood properties had its central reservation database hacked, including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018. Reportedly, it is one of the largest breaches in history, involving up to 383 million guests.
"We are disappointed with this notice of intent from the ICO, which we will contest," Marriott Chief Executive Officer Arne Sorenson said in a statement.
Marriott's fine is one of the largest from the British data protection watchdog, which on July 8, 2019, proposed a record 183.4 million pound ($230 million) penalty for British Airways-owner IAG due to data theft of 500,000 customers from its website last year.
In the Starwood data breach, several million customer records containing information including passport details, birthdates, addresses, phone numbers and email addresses were exposed, according to the company.
As per ICO, its investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Under the new General Data Protection Regulation (GDPR) regime, the ICO has the right to fine up to 4% of a company’s annual turnover. Given Marriott made about $3.6 billion in revenue during 2018, the ICO’s fine represents about 3% of the company’s global revenue.
Before taking the final decision, the ICO said that Marriott will be given an opportunity to discuss the proposed findings and sanctions.
“The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision,” said the U.K. data protection authority.