UK plans to fine Marriott $123 million for data breach

A U.K. agency on Tuesday said it intends to fine Marriott International $123 million for a data breach last year that exposed the personal information of more than 500 million hotel guests.

The U.K.’s Information Commissioner’s Office (ICO) said Marriott infringed on the European Union’s General Data Protection Regulation (GDPR) as a result of the debilitating data breach.

{mosads}The planned financial penalty comes less than a year after Marriott announced that hackers had accessed its Starwood guest reservation database and exposed names, passport numbers, dates of birth, email addresses and some payment card numbers.

The breach compromised the records of around 30 million customers in 31 countries in the European Economic Area, with 7 million of those records pertaining to British residents.

The ICO investigated the data breach and concluded that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

Marriott International CEO Arne Sorenson said in a statement that the company is “disappointed” with the ICO’s decision.

“We deeply regret this incident happened,” Sorenson said. “We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

Sorenson also noted that the Starwood database is no longer used for business operations by Marriott.

Companies fined by the ICO have the right to respond to the agency’s decisions, and Marriott said in a statement Tuesday that it intends to do so while “vigorously defending its position.”

The ICO noted that it intends to “consider carefully” the response given by Marriott before making a final decision on the case.

British Information Commissioner Elizabeth Denham said in a statement that “personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

The GDPR, which went into effect in May 2018, is designed to give individuals greater control of their data, and requires groups that control or use customer data to put in place measures to secure that information.

Jake Olcott, vice president of cybersecurity ratings group BitSight, told The Hill in a statement that “these fines make it clear — executives and boards are responsible and accountable for cybersecurity.”

“It has never been more important for them to understand and manage their organization’s security performance just like they would manage any other critical business issue,” Olcott added. “When it comes to cybersecurity, ongoing briefings, regular reporting, and performance metrics are no longer nice to have — they are required.”