After announcing its intention to impose a fine on British Airways on Monday (see EUROPE 12291/17), Tuesday 9 July, the British Data Protection Authority (ICO) attacked the American hotel group Marriott International this time.
Following an in-depth investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).
The cause: the piracy of the Starwood Hotels chain, one of its subsidiaries, and the theft of information on a database dedicated to customer reservations, notified to the ICO in November 2018, but which could have started as early as 2014.
The cyber incident reportedly affected the personal data of nearly 339 million guests worldwide, including 30 million residents of European Economic Area countries. The data of seven million Britons are involved, says the ICO.
The ICO investigation revealed that the hotel group had not exercised “sufficient due diligence” in this case and that it should have done more to secure its systems.
Marriott International will now be able to comment on the proposed sanction before the ICO makes its final decision. (Original version in French by Marion Fontana)