Skip to content

Marriott faces $123 million fine in U.K. for data breach

BETHESDA, Md. — Marriott says it will fight a $123 million U.K. government fine related to its massive data breach.

BETHESDA, Md. — Marriott says it will fight a $123 million U.K. government fine related to its massive data breach.

Marriott has the right to respond to the proposed fine before a final determination is made by the U.K.’s Information Commissioner’s Office. The agency says the breach violated the European Union’s data protection regulations.

Marriott announced last November that data from as many as 500 million guests at its Starwood hotels may have been compromised by unauthorized access dating to 2014.

In January, the Bethesda, Maryland, company revised that figure to 323 million guests, and said around 25 million passport numbers may also have been compromised. Marriott has alerted affected guests.

In a statement issued Tuesday, the Information Commissioner’s Office said the breach affected 30 million European residents, including 7 million in the U.K. The agency found that Marriott failed to perform sufficient due diligence when it bought Starwood in 2016. It also said Marriott should have done more to secure its systems.

The Information Commissioner’s Office noted that Marriott has made improvements to its system since the breach was discovered.

In a statement, Marriott President and CEO Arne Sorenson said the company has assisted the Information Commissioner’s Office with its investigation. He said the breach was the result of a criminal attack.

“We are disappointed with this notice of intent from the ICO, which we will contest,” Sorenson said in a statement.

Marriott shares fell 1.5% to $139.20 in afternoon trading.

This is the second large fine announced by the Information Commissioner’s Office this week. On Monday, the agency proposed a $229 million fine against British Airways over a data breach that affected 500,000 customers. If that fine holds, it will be the largest levied yet under new, tougher European Union data protection regulations.