A day after British Airways was fined a record £183 million over a data hack, Marriott International was told it was receiving a £99 million penalty yesterday for breaching data protection law.
The Information Commissioner’s Office, Britain’s data privacy authority, said that it had issued a notice of its intention to fine one of the world’s biggest hotel companies for infringements of the General Data Protection Regulation.
Marriott, which has more than 7,000 hotels under brands including Ritz-Carlton, Sheraton and Le Méridien, said that it deeply regretted the incident and had co-operated in the investigation, adding that it “intends to respond and vigorously defend its position”.
The commissioner’s office said that the proposed fine related to a “cyber- incident” reported to it by Marriott in November last year in which 339 million guests’ records had been exposed. Of these, seven million were in Britain.
The authority said that the incident related to Starwood Hotels, which was acquired by Marriott in 2016, two years after the breach. It said that the exposure of customer information had not been discovered until last year as a result of the company’s failure to undertake sufficient due diligence for the acquisition.
The commissioner’s office has been investigating the case as lead supervisory authority on behalf of institutions from other European Union member states.
This week, it announced its intention to fine British Airways for failing to protect the “fundamental privacy rights” of half a million passengers whose data had been hacked last year. The airline said that the hack had been the result of criminal activity rather than its own failings. It intends to “take all appropriate steps to defend the airline’s position”.
The data protection regulations came into effect in May last year and apply to all EU members. They were designed to bolster the rights of citizens to appeal against the misuse of their data and to empower authorities to fine companies up to 4 per cent of their annual turnover.
Legal experts said that the ICO was sending a clear shot across the bows of big business. Matthew Holman, of the EMW commercial law firm, said that companies could be hit twice: “In addition to the fine, businesses may face an equally large compensation claim from affected individuals who form a class action.”