Marriott gets notice to cough up $123 million as fine over last year's reservation data breach

Marriott International warns customers on rising phone scams offering free stay
Marriot hotel. Reuters

Last year's major breach of Marriott International reservation database could lead the hotel to cough up about $123 million as fine.

In 2018, Marriott disclosed a large-scale data breach impacting almost 500 million customers and said they detected unauthorized access to a database tied to customer reservations stretching from 2014 to September 10, 2018. The vulnerable information also included data on seven-million British residents, said UK Information Commissioner's Office (ICO) on Tuesday, July 9.

Once the data breach came to light, customers in US sued global hotel chain Marriott with one class-action lawsuit seeking $12.5 billion in damages.

British Airways has been fined $230 million by ICO after the hackers stole customer data in 2018, as per its parent company, International Airlines Group (IAG) and two days later the regulator issued the statement which included Marriott's data breach.

These fines include an emerging risk in mergers and acquisitions with the ICO blaming the multinational diversified hospitality company for failing to secure its computer database of Starwood Hotels & Resorts.

Elizabeth Denham, the information commissioner stated that the "organisations must be accountable for the personal data they hold," and it can include proper due diligence when making a corporate acquisition, as well as "putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."

As reported by Business Day, ICO said Marriot has cooperated with the regulator's investigation and after discovering the cyber attack it has improved its network security.

In another statement, Marriott CEO Arne Sorenson said that the company is disappointed with ICO's notice and said it would contest it. Even though US-headquartered hospitality company regretted the cyber attack, Sorenson said, "we take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect."

However, it should be noted that the announced fine is about 2.4 percent of the company's total revenue. It is below the possible maximum of four percent that ICO could have imposed under the data protection rules, said an analyst at Robert W Baird, Michael Bellisario.