The UK's Information Commissioner's Office (ICO) intends to impose a fine of £99,200,396 ($123,705,870) on international hotel chain Marriott for last year's data breach.
In November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, a number which the hotel chain later corrected to 383 million following a more throrough investigation.
According to a post mortem of the hack, hackers stole:
- 383 million guest records
- 18.5 million encrypted passport numbers
- 5.25 million unencrypted passport numbers
- 9.1 million encrypted payment card numbers
- 385,000 card numbers that were still valid at the time of the breach
Class-action lawsuits started piling on hours after Marriott announced its security breach.
ICO: Marriott's security practices violated GDPR
Now, the ICO says it intends to fine Marriott for violations to the EU's General Data Protection Regulation (GDPR).
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," said Information Commissioner Elizabeth Denham.
"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public," Denham said.
In a filing with the US Securities Exchange Comission today, Marriott said it plans to appeal the ICO's fine, when formally filed.
"We are disappointed with this notice of intent from the ICO, which we will contest," said Marriott International's President and CEO, Arne Sorenson.
"We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."
Sorenson said Marriott retired the compromised Starwood guest reservation system earlier this year.
This is the ICO's second announcement about plans to fine a large organization for GDPR violations. The ICO announced yesterday plans to fine British Airways £183 million ($230 million) after the British company failed to protect its website, which was infected with a web-based card skimmer that collected payment details for BA customers between April and June 2018.
More data breach coverage:
- Gay dating app fined $240,000 for leaking nude and private photos
- Smart home maker leaks customer data, device passwords
- Canonical GitHub account hacked, Ubuntu source code safe
- 'Silence' hackers hit banks in Bangladesh, India, Sri Lanka, and Kyrgyzstan
- Desjardins, Canada's largest credit union, announces security breach
- 7-Eleven Japanese customers lose $500,000 due to mobile app flaw
- A hacker assault left mobile carriers open to network shutdown CNET
- 90% of data breaches in US occur in New York and California TechRepublic