Hot on the heels of British Airways, international hotel group Marriott is set to face the wrath of the UK’s data privacy regulator.
The country’s Information Commissioner’s Office (ICO) said it plans to fine the US-based chain £99 million ($123 million) under EU GDPR laws for a data breach that exposed personal details of over 339 million guests.
Seven million of the affected users were UK residents, and 30 million related to residents of 31 countries in the European Economic Area (EEA).
The incident concerns a 2014 data breach of hotel company Starwood, which was acquired by Marriott in 2016. The breach, however, wasn’t detected until November 2018.
Information Commissioner Elizabeth Denham said companies collecting personal data have a legal duty to protect them, and that ICO will not hesitate to take strong action if that doesn’t happen.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” Denham said. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The latest ICO fine comes a day after UK airline British Airways was hit with an even larger penalty of £183 million ($229 million). The BA fine was the biggest ever issued by the ICO, and the first under the EU General Data Protection Regulation (GDPR) laws.
The updated regulations, which went into effect last year, state that the ICO can seek a fine of up to 4 percent of a company’s worldwide annual revenue in the prior financial year. This marks a significant increase on the maximum fine of up to £500,000 it could levy under the UK’s previous data protection guidelines.
Marriott said it would appeal against the fine.
“We are disappointed with this notice of intent from the ICO, which we will contest,” CEO Arne Sorenson said. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
It’s quite surprising that the company got off with a relatively light penalty given the extent of the breach. But make no mistake. The ICO rampage is only a start and should put companies that deal with personal data on high alert.
Above all else, the fines are a clarion call for companies to beef up their security practices and leave nothing to chance when it comes to safeguarding the data of their customers. And if monetary penalties are the only way to change their behavior, so be it.