Hotel chain Marriott International is facing a £99 million fine under GDPR rules for a massive data breach which exposed the personal data of approximately 339 million guests over a four-year period.
The UK's Information Commissioner's Office has confirmed plans to levy the penalty on Marriott after the hotel chain raised the issue in a recent SEC filing.
The long-running breach exposed names, mailing addresses, phone numbers, email addresses, passport numbers, and, in some cases, encrypted payment card information. The attack compromised the personal data of around 30 million EU nationals and seven million UK residents.
It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
The ICO has been investigating the case as lead supervisory authority on behalf of other EU Member State data protection authorities. Its investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
Information Commissioner Elizabeth Denham says: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
The anticipated levy on Marriott is dwarfed by a £183.39 million GDPR penalty facing British Airways following a data breach last year that compromised the personal information - including payment card details - of hundreds of thousands of people.