Marriott International is set to face a $124 million fine for the data breach which was revealed occurred late last year.
The punishment comes from the UK Information Commissioner's Office (ICO) which issued a notice of its intention to fine the company “after an extensive investigation”.
In November 2018, Marriott unveiled a data breach which saw the data of approximately 339 million guests globally exposed. Out of that number, 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million belonged to UK citizens - meaning it fell under the rule of GDPR.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” commented Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
According to the ICO, Marriott has co-operated with the ICO investigation and has improved its security posture since the incident. The company will have an opportunity to make representations to the ICO, as to the proposed findings and sanction, the ICO said.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset,” Denham continued.
“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”