Marriott International, which disclosed in November 2018 that its Starwood hotel reservation system had suffered a massive data breach, could be forced to pay a fine of $123.7 million for its role in the incident.
In a statement, the UK's Information Commissioner's Office (ICO) alleged that the hotel chain violated Europe’s General Data Protection Regulation (GDPR) by not taking action for several years as the breach unfolded.
It’s estimated that about 339 million guests had their information exposed in the incident. The ICO says Marriott should have taken additional measures to bolster security and that it should have done so sooner.
Years to address the vulnerability
The ICO noted that the Starwood vulnerability is believed to have originated in 2014, but Marriott didn’t disclose the breach until 2018 -- a full two years after it acquired Starwood.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The regulator added that organizations have a “legal duty” to ensure the security of customers’ personal data.
“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public,” Denham said.
The ICO noted in its announcement that Marriott has cooperated with the investigation and improved its security since the incident.
In a filing with the U.S. Securities and Exchange Commission (SEC), the hotel chain said it is “disappointed with this notice of intent from the ICO” and plans to contest the proposed fine.
Earlier this week, the ICO issued another intent to fine over an incident related to the GDPR. The organization said a separate investigation it conducted recently showed British Airways had “poor security arrangements” in place prior to the 2018 data breach it suffered. British Airways could be hit with a $229 million penalty for its allegedly insufficient security measures.