Marriott Hotels is facing even more legal action from the 2018 data breach. The company is facing a £99 million fine from UK authorities.
If businesses feel that a data breach is no big deal, Marriott Hotels would like to beg to differ. In November of 2018, reports surfaced that the hotel chain suffered a data breach. At the time, reports indicated that the breach affected 500 million hotel guests. That number has since been downgraded to 383 million guests.
Of course, the initial breach would prove to be only the beginning of this epic saga. By January of this year, the company faced multiple class action lawsuits in a number of different jurisdictions. In May, an additional class action lawsuit was filed in Calgary, Alberta (Canada).
Since then, things have quieted down somewhat for the company as it relates to the breach. Now, that has changed. According to TechCrunch, the company is now facing a £99 million ($123 million USD) fine in the UK. From the report:
The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
The breach affected about 30 million residents of the European Union, according to the ICO, which confirmed the proposed fine in a statement Tuesday.
But Marriott said it “has the right to respond” before a fine is imposed and “intends to respond and vigorously defend” its position.
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott’s chief executive Arne Sorenson, in a filing with the U.S. Securities and Exchange Commission. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
Under the new GDPR regime, the ICO has the right to fine up to 4% of a company’s annual turnover. Given Marriott made about $3.6 billion in revenue during 2018, the ICO’s fine represents about 3% of the company’s global revenue.
What is remarkable about this is that we are now more than half a year after the massive data breach. We are still seeing legal repercussions for the company over the breach. Those legal repercussions aren’t small either. What’s more is that we aren’t sure if this is even the end of it either. There could be other investigations, probes, and other class action lawsuits in the works for all we know.
One thing is for sure, the legal problems over this massive data breach are still not over yet for the company.