Hard on the heels of the announcement of its plan to fine British Airways, a regulator says it intends to fine Marriott for last year’s data breach.
The U.K.'s Information Commissioner’s Office plans to fine Marriott more than £99 million for falling foul of the new General Data Protection Regulation (GDPR).
On Monday the UK-based ICO handed down a fine of more than £183 million to BA for the cyber attack it reported to the commissioner’s office last September.
Last November, the hotel giant disclosed a data hack involving 500 million customer accounts and dating back to before the merger of Starwood with Marriott.
It later reduced the number of accounts involved to 383 million.
In its fourth quarter earnings for 2018 the company revealed the data breach had cost it $28 million so far.
A statement from the ICO says that a variety of personal data within about 339 million guest records was “exposed by the incident.”
It adds that about 30 million of those records related to European residents.
Subscribe to our newsletter below
An investigation by the ICO concluded that the hotel company “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Marriott International’s President and CEO, Arne Sorenson, responded to the ICO announcement, saying the company was disappointed and planned to “contest.”
“Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
The ICO can fine at company up to 4% of annual revenue for a GDPR.
Cyber attacks of this nature have been increasing in volume and intensity and are unlikely to go away.
Recent reports show the travel industry has climbed up the rankings to second or third place in terms of the number of attacks.
At the Amadeus T3CH event earlier this year, Caleb Barlow, IBM Security vice president, X-Force Threat Intelligence, said that these sorts of personal details are valuable to nation state adversaries.
He added that the industry needs to really think about the information it needs to have about customers, how it “obfuscates it, how it encrypts it and how long it keeps it for.”