- Justin Sullivan/Getty Images
- The UK’s Information Commissioner’s Office (ICO) plans to fine hotel giant Marriott International £99 million (about $123 million) for a data breach that exposed the sensitive data of 339 million guests.
- The breach occurred in 2014 in hotel company Starwood’s database. Marriott inherited the undetected breach when it bought Starwood in 2016. Marriott discovered the breach in November 2018.
- The Information Commissioner’s Office stated that Marriott did not conduct sufficient due diligence when it bought Starwood.
- Marriott intends to defend its position against the fine.
- Visit Business Insider’s homepage for more stories.
The UK’s Information Commissioner’s Office (ICO) announced on Tuesday that it intends to fine hotel giant Marriott International £99 million (about $123 million) for a data breach that exposed the sensitive data of 339 million guests.
The ICO said that Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems” in its investigation of the breach. The ICO’s intention to fine Marriott is based on “infringements of the General Data Protection Regulation (GDPR).”
The incident occurred in 2014 when hotel company Starwood’s database was breached. Marriott bought Starwood in 2016 and inherited the breach that went undetected until November 2018.
The breach exposed sensitive guest data, including combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of births, genders, arrival and departure information, reservation dates, and communication preferences. Some encrypted payment card numbers and expiration dates were also exposed, but the company didn’t confirm whether that payment information was safe due to its encryption in its initial statement in November.
Marriott International said that “the company intends to respond and vigorously defend its position,” and that it “has the right to respond before any final determination is made and a fine can be issued by the ICO.”
“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott International’s president and CEO, Arne Sorenson, said in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
According to its guidelines, the GDPR can levy fines up to 4% of the worldwide annual revenue of a company’s prior financial year.