Marriott International announced on Tuesday that the UK Information Commissioner’s Office (ICO) has communicated its intent to issue a fine in the amount of £99,200,396 (more than US$124 million) against the company in relation to the Starwood guest reservation database incident that Marriott announced on November 30, 2018.
Marriott has the right to respond before any final determination is made and a fine can be issued by the ICO. The company intends to respond and vigorously defend its position and pointed out in its press release that this Starwood guest reservation database is no longer used for business operations.
The ICO is the same body that on Monday announced its intent to fine British Airways US$230 million fine after a website failure compromised the personal details of roughly 500,000 customers.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott International President and CEO Arne Sorenson. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
The ICO said its investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Robert W. Baird & Co. analyst Michael Bellisario published a note on Tuesday morning saying the US$124 million fine equates to 60 basis points of Marriott’s trailing 12 months total revenues (or 2.4% excluding cost reimbursements), which is below the maximum possible fine of 4% of revenue that the ICO could have levied under GDPR. “Overall, while Marriott expects to contest the fine and it is possible the ultimate dollar amount will be reduced or partially covered by cyber insurance, we believe investor sentiment toward Marriott could become less positive in the near term, particularly given the recent run up in the stock price (and valuation near ~16x next 12 months EBITDA), until more clarity emerges regarding the potential financial impact of the data breach.”
Bellisario also begged the question about which regulatory jurisdictions will be next to fine Marriott and how large the fines could be.
In fact, a July 5 report from PrivSec.Report suggested regulators in Turkey have issued Marriott with an administrative fine of almost US$267,000 due to the impact of the hotel chain’s five-year-long data breach on its country’s citizens.