Marriott International announced that the UK Information Commissioner’s Office (ICO) has communicated its intent to issue a $124 million fine (£99,200,396) against the company in relation to the Starwood guest reservation data breach that Marriott announced on November 30, 2018. The company said that it has the right to respond and intends to defend its position before any final determination is made and a fine can be issued by the ICO.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, Marriott president and CEO. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott,” Sorenson continued.
The company reported in January that it had completed its phase-out of the Starwood guest reservation database that was attacked. In that same update provided in January, Marriott updated the number of guest records it believes was involved in the data breach to approximately 383 million, although the company noted that some of these may involve multiple records for the same guest. In addition, the company reported that approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were included in the information accessed by an unauthorized third party, as well as 8.6 million encrypted payment cards.
