The massive breach of Marriott International Inc. reservation databases could lead to a 99 million pound ($124 million) fine under the General Data Protection Regulation, an outcome that would highlight the UK’s aggressive approach to online breaches and an emerging risk in mergers and acquisitions.
The cyber attack, which Marriott disclosed last year, exposed 339 million guest records, including 7 million records related to UK residents, the UK Information Commissioner’s Office said in a statement describing its “intention to fine” the hotel company. The initial hack likely took place in 2014 and targeted a database for Starwood Hotels & Resorts, which Marriott didn’t acquire until 2016. Still, the ICO blamed Marriott for failing to conduct sufficient due diligence around the acquisition.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said in the statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The ICO said Marriott has cooperated with the regulator’s investigation and has improved its security since discovering the breach last year. The regulatory process allows Marriott to dispute the ICO’s fine, which the company plans to do.
“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott Chief Executive Officer Arne Sorenson said in a separate statement. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The fine amounts to about 2.4 percent of Marriott’s total revenue, below the possible maximum of 4 percent that the ICO could have levied under the data-protection rules, according to Michael Bellisario, an analyst at Robert W. Baird & Co. While it’s possible the ultimate amount will be reduced or partially covered by cyber insurance, “we believe investor sentiment toward Marriott could become less positive in the near term,” he said in a note Tuesday.