The massive hacking of Marriott International Inc. reservation databases could lead to a 99 million-pound ($124 million) fine as the U.K. cracked down on privacy breaches with its second major penalty notice in two days.
The cyber attack, which Marriott disclosed last year, exposed information on 339 million guest records, including 7 million related to British residents, the U.K. Information Commissioner’s Office said in a statement Tuesday. It’s the second time in two days the regulator has taken advantage of far-reaching European Union powers after proposing a 183.4 million-pound penalty against British Airways.
The proposed fine also highlights an emerging risk in mergers and acquisitions with the ICO blaming Marriott for failing to conduct sufficient due diligence on its acquisition of Starwood Hotels & Resorts. The hack likely took place in 2014 and targeted a Starwood database, two years before the company was acquired by Marriott.
“Organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said in the statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
The ICO said Marriott has cooperated with the regulator’s investigation and has improved its security since discovering the breach last year. The regulatory process allows Marriott to dispute the fine, which the company plans to do.
The fine amounts to about 2.4% of Marriott’s trailing 12-month total revenue excluding cost reimbursements, according to Michael Bellisario, an analyst at Robert W. Baird & Co. While it’s possible the ultimate amount will be reduced or partially covered by cyber insurance, “we believe investor sentiment toward Marriott could become less positive in the near term,” he said in a note Tuesday.
The ICO fined British Airways after hackers diverted BA’s website traffic to a fraudulent site through which customer details were harvested. BA parent IAG SA said its fine amounts to 1.5% of the airline’s 2017 revenue.
The EU’s General Data Protection Regulation, which took effect on May 25, 2018, requires companies to take technical precautions such as encryption to ensure customer data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them. Violations may lead to fines of as much as 4% of a company’s annual sales.
“Taken together, and especially given the basis of this Marriott fine, this is should be a worrying development for any company subject to ICO’s jurisdiction on GDPR,” said Tamlin Bason, an analyst at Bloomberg Intelligence. “The ICO is taking an aggressive stance on breaches.”
The ICO has indicated that there are another 12 fines in the pipeline, Richard Cumbley, global head of the technology practice at Linklaters, said in an emailed statement. “If they are all of the same scale as the recent fines, that would mean a significant shift in the risk of not complying with the GDPR.”