Marriott hit with $124 million fine for 2018 data breach

The U.K. Information Commissioners Office (ICO) intends to levy a £99,200,396, or $124 million, fine against Marriott International in response to the data breach suffered by that company’s Starwood reservation data base in November 2018.

Marriott reported the ICO’s intention to impart the fine, but said in a statement the company will use its right to respond and “vigorously defend itself” before any final determination is made and the fine actually issued by the ICO.

“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” said Marriott International’s President and CEO, Arne Sorenson.

Marriott revealed the data breach on November 30, 2018, and said malicious actors spent more than four years inside Marriott’s Starwood reservation system obtaining access to 500 million guest records that included names, payment card information and other PII. Marriott said in a statement at the time the malware was already residing in Starwood’s reservation system when the hotel chain purchased it in 2016.

The database in question is no longer in use.

Marriott’s potential fine comes just one day after the ICO hit British Airways with a record-breaking £183 million fine for last year’s data breach that compromised the personal data of 500 million of the airline's customers.

“These fines not only puts pay to any thoughts that the ICO lacked teeth in its pursuit of organizations putting customer data at risk, but also serves as a reminder to any company suffering from a complacent attitude to compliance that the handling, processing and storing of customer data should be its number one priority. These could very well be the first of many large fines issued by the ICO and will most definitely serve as a wakeup call to organizations that offer goods or services to, or monitor the behavior of, EU data subjects,” said Tony Pepper, CEO of Egress Software.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.