UK says Marriott must pay €110m in latest GDPR sanction
Hotel chain Marriott International is the latest global brand hit with a massive fine under General Data Protection Regulation (GDPR) rules.
UK Information Commissioner Elizabeth Denham's Office (ICO) said on Tuesday it proposed to fine the chain £99.2m (€110m) for a breach of its Starwood hotels reservation system.
Please log in or register with Independent.ie for free access to this article.
It comes in the wake of ICO imposing a €183.4m penalty on British Airways on Monday.
In November, Marriott disclosed it had discovered the Starwood reservation database had been hacked over a four-year period in one of the largest breaches in history, involving 339 million guests.
Of the accounts affected, around 30 million were of residents of the 31 countries in the European Economic Area (EEA), including seven million in the UK.
ICO began an investigation as lead EU regulator.
"We are disappointed with this notice of intent from the ICO, which we will contest," Marriott chief executive officer Arne Sorenson said in a statement.
Marriott's fine is one of the largest ever for a data protection breach, reflecting the tougher GDPR rules in force across the European Unions since last year.
While ICO acted as lead supervisory authority on behalf of other EU Member States' data protection authorities, as of March, at least five US states were also investigating the Marriott breach, making it potentially even more expensive for the hotel group.
The data breach dated back to 2014, two years before Marriott bought Starwood, but the exposure of customer information was not discovered until 2018.