Marriott International is to be fined £99.2 million for a massive data breach that it disclosed last year.
The penalty, levied by the ICO (Information Commissioner’s Office), relates to a cyber attack that occurred in 2014 but was only disclosed last November.
The names and contact details of 383 million customers were compromised in the incident, along with millions of password numbers and payment card details.
The ICO’s announcement comes a day after it said it will fine British Airways £183.4 million for a breach it disclosed in September 2018.
These are the two largest fines for data breaches and the first to be issued in the UK under the GDPR (General Data Protection Regulation).
The Regulation, which came into effect in May 2018, promised to revolutionise data protection in the EU, giving supervisory authorities the power to issue fines of up to £20 million or 4% of an organisation’s annual global turnover (whichever is greater).
The breach occurred after cyber criminals discovered a vulnerability in the reservation system of the hotel’s Starwood subsidiary, giving them access to a database containing customer booking information.
The third-party IT company that managed the database spotted an anomaly in September 2018 and contacted Marriott.
The hotel chain investigated the incident, initially reporting that as many as 500 million customers were affected. However, it later downgraded that figure to 383 million.
Most of the compromised records were customers’ names and contact details. However, the crooks also accessed 25.55 million passport numbers, of which 5.25 million were unencrypted, and 8.6 million payment card records, all of which were unencrypted.
The information includes 30 million records belonging to EU residents.
Marriott International’s president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”