The U.K. Information Commissioner’s Office (ICO) has proposed a fine of $124 million against Marriott International over a data breach in its Starwood hotels reservation system involving up to 383 million guests.
Regulators said the Starwood system was compromised in 2014 and hackers had access to customer data over a four-year period.
Marriott plans to challenge the proposed fine.
“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott chief executive officer Arne Sorenson said in a statement.
The fine is the second major enforcement action proposed by the ICO this week under Europe’s General Data Protection Regulation. On Monday, the ICO announced a proposed $230 million penalty against IAG, the owner of British Airways, over a hack that affected 500,000 customers.
Marriott made the announcement it had been hacked on November 30, 2018. Initially, the company said hackers stole the details of roughly 500 million customers before revising the number down. The ICO said the compromised information included 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment card numbers, and 385,000 card numbers that were still valid at the time of the breach.
The hack impacted about 30 million guest records related to residents of the European Economic Area, the ICO said. Seven million records were related to U.K. residents.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The regulator said Marriott cooperated with its investigation and made security improvements since the hack was disclosed.
Marriott said the Starwood guest reservation system was retired earlier this year.
Photo: Justin Sullivan/Getty Images