The U.K. Information Commissioner's Office (ICO) proposes to
fine Marriott International 99.2 million British pounds ($123.5 million) for the massive data breach reported last November.
On Monday, the ICO proposed to fine British Airways 183.4 million British
pounds ($229 million) for its data breach last
year.
"Personal data has a real value, so organizations have
a legal duty to ensure its security, just like they would do with any other
asset," said U.K. information commissioner Elizabeth Denham in a press
release. "If that doesn't happen, we will not hesitate to take strong
action when necessary to protect the rights of the public."
Marriott has a right to respond before the ICO issues its
fine. In a statement, the company said it "intends to respond and
vigorously defend its position."
Marriott International president and CEO Arne Sorenson said,
"We are disappointed with this notice of intent from the ICO, which we
will contest. Marriott has been cooperating with the ICO throughout its
investigation into the incident, which involved a criminal attack against the
Starwood guest reservation database."
Marriott had said the breach of Starwood's reservation
system had allowed unauthorized access since 2014, before Marriott acquired
Starwood in September 2016. The breach was found to have exposed as many as 383
million records, including combinations of names, mailing addresses, phone
numbers, email addresses, passport numbers and payment card numbers, among
other personal information.