- A United Kingdom watchdog intends to fine Marriott International $124 million (£99 million) related to a "cyber incident," the Information Commissioner's Office (ICO) said Tuesday.
- The hospitality company stated it "has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position," according to Marriott's U.S. Securities and Exchange Commission (SEC) filing.
- Disclosed in November, Marriott's data breach impacted nearly 400 million guest records. The ICO said about 30 million records belonged to residents in the European Economic Area and seven million were U.K. residents, therefore falling under the General Data Protection Regulation (GDPR) penalties.
The ICO has issued more than $350 million-worth of intentions to fine in two days.
British Airways was hit by a fine of about $230 million Monday, a record setting fine in the age of GDPR. The airline's data breach was far less extensive than Marriott, impacting about 500,000 consumers.
The ICO said the airline's "poor security arrangements" led to the GDPR infringement. Like Marriott, the airline has the opportunity to refute the intended fines.
Not all data breaches are created equal. Marriott unknowingly inherited its data breach when it acquired Starwood Hotels and Resorts Worldwide in 2016. The initial intrusion occurred in Starwood's guest database in 2014.
The ICO said Marriott's data breach was a result of a failure to "undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems," according to the announcement.
The hospitality company has since shut down the compromised database, but GDPR holds companies responsible for all the personal data they possess, no matter where it's stored.
After two years, Marriott's breach was detected by an internal security tool.
Mergers and acquisitions only scratch the surface of how companies are held accountable for the personal data they keep.
Quest Diagnostics and LabCorp are facing their own data privacy crises after a third-party billing collector was the victim of a data breach. Though the breach occurred on another entity's system, the medical companies are held equally as responsible for the weakest link in their ecosystem.