The U.K.'s Information Commissioner's Office has fined Marriott International £18.4 million ($23.98 million) for a cyberattack on the Starwood Hotels & Resorts reservation system, according to the ICO, which levied the fine after concluding its investigation into the data breach.
The attack began in 2014, before Marriott's acquisition of Starwood, and was discovered in September 2018 and reported that November. The ICO initially wanted to penalize Marriott $123 million. Before setting its final penalty, the ICO considered Marriott's explanation, the steps Marriott took to mitigate the effects of the incident and the economic impact of Covid-19 on its business. The penalty relates to the breach only from May 25, 2018, when new rules under the General Data Protection Regulation came into effect.
Marriott estimated that up to 339 million guest records worldwide were affected, with about 7 million of those related to people in the U.K., according to the ICO.
The investigation found that Marriott failed to put appropriate technical or organizational measures in place to protect the personal data being process on its systems, as required by the GDPR.
"Millions of people's data was affected by Marriott's failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not," said ICO information commissioner Elizabeth Denham in a statement.
Marriott in a statement said that it does not intend to appeal the decision, "but makes no admission of liability in relation to the decision or the underlying allegations. As the ICO acknowledges, Marriott cooperated fully throughout the investigation."
Marriott further stated that it "deeply regrets the incident," and remains committed to the privacy and security of its guests' information and continues to make significant investments in security measures for its systems.
In March, Marriott announced it had experienced a second data breach, which affected up to 5.2 million guests.
RELATED: ICO's One-Two Punch Hits Marriott with GDPR Fine