Marriott faces $124 million fine from U.K. for data hack

The massive hacking of Marriott International reservation databases could lead to a 99 million-pound ($124 million) fine as the U.K. cracked down on privacy breaches with its second major penalty notice in two days.

The cyberattack, which Marriott disclosed last year, exposed information on 339 million guest records, including 7 million related to British residents, the U.K. Information Commissioner’s Office said in a statement Tuesday. It’s the second time in two days the regulator has taken advantage of far-reaching European Union powers after proposing a 183.4 million-pound ($228 million) penalty against British Airways.

The proposed fine also highlights an emerging risk in mergers and acquisitions with the ICO blaming Marriott for failing to conduct sufficient due diligence on its acquisition of Starwood Hotels & Resorts. The hack likely took place in 2014 and targeted a Starwood database, two years before the company was acquired by Marriott.

“Organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said in the statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

The ICO said Marriott has cooperated with the regulator’s investigation and has improved its security since discovering the breach last year. The regulatory process allows Marriott to dispute the ICO’s fine, which the company plans to do.

“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott Chief Executive Officer Arne Sorenson said in a separate statement. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect.”

The fine amounts to about 2.4% of Marriott’s total revenue, below the possible maximum of 4% that the ICO could have levied under the data-protection rules, according to Michael Bellisario, an analyst at Robert W. Baird & Co. While it’s possible the ultimate amount will be reduced or partially covered by cyber insurance, “we believe investor sentiment toward Marriott could become less positive in the near term,” he said in a note Tuesday.

The ICO fined British Airways after hackers diverted BA’s website traffic to a fraudulent site through which customer details were harvested. BA parent IAG SA said its fine amounts to 1.5% of the airline’s 2017 revenue.

The EU’s General Data Protection Regulation, which took effect on May 25, 2018, requires companies to take technical precautions such as encryption to ensure customer data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them. Violations may lead to fines of as much as 4% of a company’s annual sales.

“Taken together, and especially given the basis of this Marriott fine, this is should be a worrying development for any company subject to ICO’s jurisdiction on GDPR,” said Tamlin Bason, an analyst at Bloomberg Intelligence. “The ICO is taking an aggressive stance on breaches.”

Related: 

• Assessing risk to hotels in the age of data breaches
• New privacy laws taking shape worldwide
• Uber fined $491,000 by U.K. regulator over 2016 cyberattack

Copyright 2024 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.