Marriott gets slammed with $123 million fine after a major data breach exposed the personal data of 339 million hotel guests

Marriott hotel

  • The UK’s Information Commissioner’s Office (ICO) plans to
    fine hotel giant
    Marriott
    International
    £99 million (about $123 million) for a data
    breach
    that exposed the sensitive data of 339 million
    guests.  
  • The breach occurred in 2014 in hotel company Starwood’s
    database. Marriott inherited the undetected breach when it bought
    Starwood in 2016. Marriott discovered the breach in November
    2018. 
  • The Information Commissioner’s Office stated that Marriott did
    not conduct sufficient due diligence when it bought Starwood.
  • Marriott intends to defend its position against the fine.
  • Visit
    Business Insider’s homepage for more stories
    .

The UK’s Information Commissioner’s Office (ICO) announced on
Tuesday that it intends to
fine hotel giant Marriott International
£99 million (about
$123 million) for a
data breach
that exposed the sensitive data of 339 million
guests.  

The ICO said that Marriott had “failed to undertake sufficient
due diligence when it bought Starwood and should also have done
more to secure its systems” in its investigation of the breach. The
ICO’s intention to fine Marriott is based on “infringements of the
General Data Protection Regulation (GDPR).”

The incident occurred in 2014 when hotel company Starwood’s
database was breached. Marriott bought Starwood in 2016 and
inherited the breach that went undetected until November 2018.

The breach exposed sensitive guest data, including combinations
of names, mailing addresses, phone numbers, email addresses,
passport numbers, Starwood Preferred Guest account information,
date of births, genders, arrival and departure information,
reservation dates, and communication preferences. Some encrypted
payment card numbers and expiration dates were also exposed, but
the company didn’t confirm whether that payment information was
safe due to its encryption in its initial statement in
November. 

Marriott International said that “the company intends to respond
and vigorously defend its position,” and that it “has the right to
respond before any final determination is made and a fine can be
issued by the ICO.”

“We are disappointed with this notice of intent from the ICO,
which we will contest,” Marriott International’s president and CEO,
Arne Sorenson, said in a statement. “Marriott has been cooperating
with the ICO throughout its investigation into the incident, which
involved a criminal attack against the Starwood guest reservation
database. We deeply regret this incident happened. We take the
privacy and security of guest information very seriously and
continue to work hard to meet the standard of excellence that our
guests expect from Marriott.”

According to its guidelines,
the GDPR can levy fines up to 4% of the worldwide annual revenue of
a company’s prior financial year.

SEE ALSO: Here’s
how to check if you were one of the 500 million customers affected
by the Marriott hack


Join the conversation about this story »

NOW WATCH:
A London hotel makes cakes that are disguised as everyday objects
— and they’re incredibly realistic

Source: FS – All-Travel destinations-News
Marriott gets slammed with 3 million fine after a major data breach exposed the personal data of 339 million hotel guests