Marriott International (NASDAQ: MAR) is being fined USD 123 Million by the UK’s Information Commissioner’s Office (ICO) for exposing the private data of 339 million customers as a result of a data breach.
The breach wasn’t necessarily due to faults on Marriott’s part, but it stemmed from an acquisition. Marriott bought Starwood, a hotel company, in 2016. What the Company didn’t know was that Starwood’s database had been breached back in 2014. Marriott was unable to detect the breach until November 2018.
The breach exposed a plethora of data including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, arrival and departure information, reservation dates, and communication preferences. Encrypted payment card numbers along with expiration dates were exposed as well.
Marriott International said that “the Company intends to respond and vigorously defend its position,” and that it “has the right to respond before any final determination is made and a fine can be issued by the ICO.”
“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott International’s president and CEO, Arne Sorenson, said in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”