The U.K. Information Commissioner’s Office intends to fine Marriott International over a security breach that exposed the personal information of guests in the Starwood Hotels & Resorts Worldwide reservations database starting in 2014 until the breach was discovered in November of 2018. The intended fine amounts to £99,200,396, or approximately $123 million.
In a statement, Marriott, which acquired Starwood in 2016, said that it has the right to respond before any final determination is made and a fine can be issued by the ICO, and that it will “respond and vigorously defend its position.”
“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott President/CEO Arne Sorenson said in that statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
Marriott also said that the Starwood guest reservation database that was attacked is no longer used for business operations.
Last November, Marriott disclosed that it had been the victim of what is shaping up to be the biggest data breach of all time. The breach allowed hackers unauthorized access to the Starwood network starting in 2014. Marriott acquired Starwood in 2016 for $13.6 billion, creating the world’s largest hotel operator.
Earlier this year, Marriott International has revised downward the number of guests impacted, finding fewer guest records were involved in the incident than the 500 million initially estimated.
The megachain identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the years-long cyber attack. However, this number may not represent unique guests. Marriott’s research also uncovered multiple records of the same guest in many incidents, concluding that information for far fewer than 383 million unique guests was involved in the breach.