Marriott Faces Close to $125 Million Fine Over 2018 Data Breach
On Monday, the UK's Information Commissioner Office (ICO) slapped British Airways with a potential £183 million fine for its 2018 data breach. To follow that up, on Tuesday, the ICO detailed its intention to fine Marriott more than £99 million (nearly $125 million) for its November 2018 data breach.
Like the BA fine, the ICO's fine on Marriott was placed because of 'infringements of the General Data Protection Regulation (GDPR)'. That GDPR breach involved the stealing of personal information of about 339 million Marriott guests.
The information exposure first started in 2014 but didn't come to light until 2018, when Marriott originally said that more than 500 million guests had been affected. Marriott plans to fight the fine.
"We are disappointed with this notice of intent from the ICO, which we will contest," Marriott CEO Arne Sorenson said in a statement. "Marriott has been co-operating with the ICO throughout its investigation into the incidents, which involved a criminal attack against the Starwood guest reservation database".
In the eyes of the ICO, Marriott should have done more to review Starwood's data practices and securing its systems. The watchdog agency now says that Marriott has made improvements to its security since the events came to light.
Under GDPR regulations, the ICO had the ability to impose a fine of up to 4% of a company's global annual revenue.