Skip to main content
close search
site logo
Dive Brief

GDPR strikes again: Marriott International faces $124M fine

Published July 9, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Whistle Sports

Dive Brief:

  • A United Kingdom watchdog intends to fine Marriott International $124 million (£99 million) related to a "cyber incident," the Information Commissioner's Office (ICO) said Tuesday. 
  • The hospitality company stated it "has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position," according to Marriott's U.S. Securities and Exchange Commission (SEC) filing.
  • Disclosed in November, Marriott's data breach impacted nearly 400 million guest records. The ICO said about 30 million records belonged to residents in the European Economic Area and seven million were U.K. residents, therefore falling under the General Data Protection Regulation (GDPR) penalties.

Dive Insight:

The ICO has issued more than $350 million-worth of intentions to fine in two days. 

British Airways was hit by a fine of about $230 million Monday, a record setting fine in the age of GDPR. The airline's data breach was far less extensive than Marriott, impacting about 500,000 consumers. 

The ICO said the airline's "poor security arrangements" led to the GDPR infringement. Like Marriott, the airline has the opportunity to refute the intended fines.

Not all data breaches are created equal. Marriott unknowingly inherited its data breach when it acquired Starwood Hotels and Resorts Worldwide in 2016. The initial intrusion occurred in Starwood's guest database in 2014.  

The ICO said Marriott's data breach was a result of a failure to "undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems," according to the announcement. 

The hospitality company has since shut down the compromised database, but GDPR holds companies responsible for all the personal data they possess, no matter where it's stored. 

After two years, Marriott's breach was detected by an internal security tool.

Mergers and acquisitions only scratch the surface of how companies are held accountable for the personal data they keep. 

Quest Diagnostics and LabCorp are facing their own data privacy crises after a third-party billing collector was the victim of a data breach. Though the breach occurred on another entity's system, the medical companies are held equally as responsible for the weakest link in their ecosystem.

Recommended Reading

Filed Under: Security, Corporate

Editors' picks

Company Announcements

View all | Post a press release
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell