According to the U.K. Data Protection Authority, they will be serving Marriott with a fine of $123 million for a data breach which also exposed around 383 million guests. The previous year, Marriott revealed that its Starwood properties got their central reservation database hacked, which included 5 million unencrypted passport numbers along with the data of 8 million credit cards.
Dated back to 2014, the data breach was not revealed until Nov. 2018. However, Marriott pulled the hacked reservation system later from their operations. According to the Information Commissioner’s Office (ICO) of U.K., its investigation found Marriott guilty of failing to undertake enough due diligence when they bought Starwood and they must have been more serious to secure the systems.
The data breach was found to affect about 30 million people residing in the European Union as per the Information Commissioner’s Office, which further gave the confirmation of the fine proposed in a statement, on Tuesday. But according to Marriott, it “has the right to respond” before any fine gets imposed on it and “intends to respond & vigorously defend” the position it’s in.
“We are disappointed with the notice of intent from the ICO, which we will contest,” told the chief executive of Marriott, Arne Sorenson. He further added, “Marriott has been cooperating with the ICO throughout the investigation into the incident, which included a criminal attack against the Starwood guest reservation database.”
Moreover, the ICO, under the newest GDPR regime, has got the right to fine up to 4% of the annual turnover of the company. Given Marriott, during 2018, made revenue of about $3.6 billion, the fine by ICO represents around 3% of the global revenue of the company. According to ICO, Marriott will be allowed a chance to discuss the proposed sanctions & findings.