The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123M) fine for a data breach that exposed up to 383 million guests.
Marriott revealed last year that its acquired Starwood properties had its central reservation database hacked, including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018. Marriott later pulled the hacked reservation system from its operations.
The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
The breach affected about 30 million residents of European Union, according to the ICO, which confirmed the proposed fine in a statement Tuesday.
But Marriott said it “has the right to respond” before a fine is imposed and “intends to respond and vigorously defend” its position.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott’s chief executive Arne Sorenson, in a filing with the U.S. Securities and Exchange Commission. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
Under the new GDPR regime, the ICO has the right to fine up to four percent of a company’s annual turnover. Given Marriott made about $3.6 billion in revenue during 2018, the ICO’s fine represents about 3 percent of the company’s global revenue.
The ICO said Marriott will be given an opportunity to discuss the proposed findings and sanctions.
“The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision,” said the U.K. data protection authority.
The proposed Marriott fine comes hot on the heels of a record fine imposed of $230 million by the ICO on Monday following the British Airways data breach. The airline confirmed about 500,000 customers had their credit cards skimmed over a three week period between August and September 2018.
Researchers said a credit card stealing group known as Magecart was to blame.