[BreachExchange] Marriott to face $123 million fine by UK authorities over data breach

Thu Jul 11 09:55:22 EDT 2019

https://techcrunch.com/2019/07/09/marriott-data-breach-uk-fine/

The U.K. data protection authority said it will serve hotel giant
Marriott with a £99 million ($123 million) fine for a data breach that
exposed up to 383 million guests.

Marriott revealed last year that its acquired Starwood properties had
its central reservation database hacked, including five million
unencrypted passport numbers and eight million credit card records.
The breach dated back to 2014 but was not discovered until November
2018. Marriott later pulled the hacked reservation system from its
operations.

The U.K.’s Information Commissioner’s Office (ICO) said its
investigation found that Marriott “failed to undertake sufficient due
diligence when it bought Starwood and should also have done more to
secure its systems.”

The breach affected about 30 million residents of the European Union,
according to the ICO, which confirmed the proposed fine in a statement
Tuesday.

But Marriott said it “has the right to respond” before a fine is
imposed and “intends to respond and vigorously defend” its position.

“We are disappointed with this notice of intent from the ICO, which we
will contest,” said Marriott’s chief executive Arne Sorenson, in a
filing with the U.S. Securities and Exchange Commission. “Marriott has
been cooperating with the ICO throughout its investigation into the
incident, which involved a criminal attack against the Starwood guest
reservation database.”

Under the new GDPR regime, the ICO has the right to fine up to 4% of a
company’s annual turnover. Given Marriott made about $3.6 billion in
revenueduring 2018, the ICO’s fine represents about 3% of the
company’s global revenue.

The ICO said Marriott will be given an opportunity to discuss the
proposed findings and sanctions.

“The ICO will consider carefully the representations made by the
company and the other concerned data protection authorities before it
takes its final decision,” said the U.K. data protection authority.

The proposed Marriott fine comes hot on the heels of a record fine of
$230 million imposed by the ICO on Monday following the British
Airways data breach. The airline confirmed about 500,000 customers had
their credit cards skimmed over a three-week period between August and
September 2018.

Researchers said a credit card stealing group known as Magecart was to blame.