The UK's Information Commissioner's Office (ICO) intends to impose a fine of £99,200,396 ($123,705,870) on international hotel chain Marriott for last year's data breach.
Also: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) TechRepublic
In November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, a number which the hotel chain later corrected to 383 million following a more thorough investigation.
According to a post mortem of the hack, hackers stole:
Class-action lawsuits started piling on hours after Marriott announced its security breach.
Now, the ICO says it intends to fine Marriott for violations to the EU's General Data Protection Regulation (GDPR).
"The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," said Information Commissioner Elizabeth Denham.
"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public," Denham said.
In a filing with the US Securities Exchange Commission, Marriott said it plans to appeal the ICO's fine, when formally filed.
"We are disappointed with this notice of intent from the ICO, which we will contest," said Marriott International's President and CEO, Arne Sorenson.
"We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."
Sorenson said Marriott retired the compromised Starwood guest reservation system earlier this year.
This is the ICO's second announcement about plans to fine a large organization for GDPR violations. The ICO announced yesterday plans to fine British Airways £183 million ($230 million) after the British company failed to protect its website, which was infected with a web-based card skimmer that collected payment details for BA customers between April and June 2018.