The Information Commissioner’s Office is set to fine international hotel group Marriott almost £100 million over a data breach that compromised the records of 339 million guests.
Marriott International, the parent company of the hotel chains, including Sheraton, Le Meridien and Westin, admitted that personal data, including dates of birth, passport numbers and credit card details have been stolen by hackers. Records show that about 30 million of the hacked guest records related to residents of 21 countries in the European area.
The news came after British Airways received a £183million fine over General Data Protection Regulation (GDPR). ICO confirmed that the personal information of half a million of the airline’s customers was hacked.
Following an investigation, the ICO said that the issue begun in 2014 the systems of Starwood hotels group, which Marriott acquired in 2016, were compromised. The theft of customer information was only discovered last year. ICO said that Marriott has failed to undertake sufficient due diligence to make sure that Starwood’s IT systems were secured.
Elizabeth Denham, the information commissioner, said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
Meanwhile, Marriott has released a statement saying it would appeal against the fine. It added that Starwood guest reservation database was no longer used for business operations.
Arne Sorenson, the president and chief executive of Marriott International, said: “We are disappointed with this notice of intent from the ICO, which we will contest. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The ICO can seek a fine of up to 4per cent of the company’s global annual revenue for a breach under the GDPR.
Register to claim a free website security check.