Marriott International is to be fined $99.2 million ($180m) by the Information Commissioner’s Office for its mega data breach which saw hackers steal the records of 339 million guests.
The hackers had managed to access credit card details, passport numbers and dates of birth from guests on Starwood’s guest reservation database back in 2014, which were merged with Marriott in 2016 before the breach was discovered.
The ICO fine relates to breaches under the General Data Protection Regulation (GDPR).
The ICO said that about 30 million of the hacked guest records related to residents of 31 countries in the European Economic Area. Seven million related to UK residents.
The ICO said Marriott had failed to undertake sufficient due diligence when it acquired Starwood and should have done more to make sure its IT systems were secure.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the information commissioner.
“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
Marriott said it would appeal against the fine.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, the president and chief executive of Marriott International.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”