Marriott Faces Close to £100 Million Fine Over 2018 Data Breach

Jul 9, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

On Monday, the UK’s Information Commissioner Office (ICO) slapped British Airways with a potential £183 million fine for its 2018 data breach. To follow that up, on Tuesday, the ICO detailed its intention to fine Marriott more than £99 million for its November 2018 data breach.

Like the BA fine, the ICO’s fine on Marriott was placed because of ‘infringements of the General Data Protection Regulation (GDPR)’. That GDPR breach involved the stealing of personal information of about 339 million Marriott guests.

The information exposure first started in 2014 but didn’t come to light until 2018, when Marriott originally said that more than 500 million guests had been affected. Marriott plans to fight the fine.

“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott CEO Arne Sorenson said in a statement. “Marriott has been co-operating with the ICO throughout its investigation into the incidents, which involved a criminal attack against the Starwood guest reservation database”.

In the eyes of the ICO, Marriott should have done more to review Starwood’s data practices and securing its systems. The watchdog agency now says that Marriott has made improvements to its security since the events came to light.

Under GDPR regulations, the ICO had the ability to impose a fine of up to 4% of a company’s global annual revenue.

Featured photo by Roberto Machado Noa/LightRocket via Getty Images.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.