In November 2018, the Marriott hotel group revealed it had been the victim of a four-year campaign by hackers to steal customer data from its reservations system. Now it's going to have to pay the price for failing to keep that data safe.
The Information Commissioner's Office, the UK's privacy watchdog, announced Tuesday that it intends to fine Marriott £99.2 million ($124M) over the security breach. It's issuing the fine in accordance with the , the far-reaching EU-wide privacy law introduced in May 2018.
Hackers breached the security systems of Starwood Hotels in 2014. Marriott bought Starwood in 2016, but didn't discover and then patch the breach until 2018. Personal data from 339 million guest records (30 million European citizens and 7 million UK citizens) was exposed in the incident.
Marriott CEO Arne Sorenson said in a statement that he was "deeply disappointed" with the decision by the Information Commissioner's Office and that he would contest it. "Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database," he said.
Last year the EU overhauled its pre-internet data protection laws to make them fit for the internet age. Under the GDPR, member states are able to fine companies 20 million euros ($22.4 million) or 4% of their total annual worldwide revenue in the preceding financial year if they fail to comply with the new rules. The Marriott fine is the second GDPR-related fine the ICO has announced this week. On Monday, the watchdog announced its intention to £183.4 million ($230M) over a 2018 data breach.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham in a statement. "Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
Marriott acknowledged that challenges and the disruptions they pose.
"We deeply regret this incident happened," said Sorenson. "We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."