BETHESDA, Md. — The U.K. Information Commissioner’s Office (ICO) is set to fine Marriott International £99,200,396 (US$125 million) in response to the unauthorized access of the Starwood guest-reservations database.
“We’re disappointed with this notice of intent from the ICO, which we will contest,” says Arne Sorenson, president and CEO of Marriott International. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest-reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Following the discovery of the data breach, Marriott launched an ongoing investigation into the incident. According to an update in January, the data-security incident — originally announced on Nov. 30, 2018 — involved the information of approximately 383-million guests. The company estimated that approximately 5.25-million unencrypted passport numbers, 20.3-million encrypted passport numbers and 8.6-million encrypted payment-card numbers were accessed during the attack last year.
Marriott has since phased out the operation of the Starwood reservations database as part of the company’s post-merger integration work.
The company has the right to respond before any final determination is made and a fine can be issued by the ICO.