Information Commissioner’s Office (ICO) has announced its intention to fine Marriott International for breaching General Data Protection Regulation (GDPR). In the company statement, ICO claims that personal data of approximately 339 million guest records were exposed. The breached records include 31 million related to residents of 31 countries in the European Economic Area (EEA) and seven million related to UK residents.
The proposed fine of USD 124mn is related to the compromise of Starwood guest reservation database in 2014. The incident came into light on November 30, 2018. ICO states that Marriott failed to take due diligence to secure its systems when it bought Starwood in 2016.
Elizabeth Denham, information commissioner said, “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
“The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision,” the statement adds.
In a response, Marriott’s official statement has confirmed that the Starwood database, that was attacked, is no longer used for business operations.
Arne Sorenson, president and CEO at Marriott International expressed his views, “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The statement mentions that the company has the right to respond before any final determination is made. Marriott has conveyed it’s intend to respond to ICO and also to ‘vigorously defend its position’. “We are disappointed with this notice of intent from the ICO, which we will contest,” Sorenson adds.
Earlier this week, ICO announced its intent to fine British Airways USD 229mn for infringements of GDPR.