Marriott is facing a hefty fine for failing to keep customer data safe.
The UK Information Commissioner’s Office (ICO) has said it intends to fine the international hotel giant about $124 million in relation to last year’s massive Starwood guest reservation database incident, which involved hackers gaining access to 339 million guest records.
MORE Hotel & Resort
5 Reasons to Love the Caribe Hilton
Hotel Industry Appears to Be Trending Downward
5 Bars for the Ultimate Las Vegas Nightlife Experience
The reservation system hack, dubbed one of the largest in history, exposed customers’ payment card numbers, phone numbers, and email addresses.
In subsequent statements issued by the hotel company after the breach, it also became that about 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also included approximately 20.3 million encrypted passport numbers.
The hotel giant has said there’s no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.
The stolen data included information belonging to 30 million European citizens and seven million UK citizens, which is why the ICO has gotten involved.
Marriott’s CEO, Arne Sorenson, issued a statement today in response to the news of a looming ICO fine.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Sorenson. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
“We deeply regret this incident happened,” added Sorenson. “We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The hotel company’s statement added that Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. Marriott said it intends to respond and vigorously defend its position.
The Starwood guest reservation database that was attacked is no longer used for business operations.
According to a report in CNET, last year the EU overhauled its pre-internet data protection laws to make them more appropriate for the internet age.
As a result, under the GDPR, member states are allowed to fine companies 20 million euros ($22.4 million) or 4 percent of their total annual worldwide revenue in the preceding financial year if they fail to comply with the new rules.
The Marriott fine represents the second GDPR-related fine the ICO has announced this week, according to CNET. On Monday, the watchdog announced its intention to fine British Airways $230 million in relation to a 2018 data breach.