Marriott faces $123 million GDPR fine in the UK for last year's data breach

The intent to fine Marriott comes a day after the ICO announced a $230 million GDPR fine against British Airways.
Written by Catalin Cimpanu, Contributor

The UK's Information Commissioner's Office (ICO) intends to impose a fine of £99,200,396 ($123,705,870) on international hotel chain Marriott for last year's data breach.

Also: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) TechRepublic

In November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, a number which the hotel chain later corrected to 383 million following a more thorough investigation.

According to a post mortem of the hack, hackers stole:

  • 383 million guest records
  • 18.5 million encrypted passport numbers
  • 5.25 million unencrypted passport numbers
  • 9.1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

Class-action lawsuits started piling on hours after Marriott announced its security breach.

ICO: Marriott's security practices violated GDPR

Now, the ICO says it intends to fine Marriott for violations to the EU's General Data Protection Regulation (GDPR).

"The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected," said Information Commissioner Elizabeth Denham.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public," Denham said.

In a filing with the US Securities Exchange Commission, Marriott said it plans to appeal the ICO's fine, when formally filed.

"We are disappointed with this notice of intent from the ICO, which we will contest," said Marriott International's President and CEO, Arne Sorenson.

"We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."

Sorenson said Marriott retired the compromised Starwood guest reservation system earlier this year.

This is the ICO's second announcement about plans to fine a large organization for GDPR violations. The ICO announced yesterday plans to fine British Airways £183 million ($230 million) after the British company failed to protect its website, which was infected with a web-based card skimmer that collected payment details for BA customers between April and June 2018.

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:

Editorial standards