The Information Commissioner’s Office (ICO) of the United Kingdom announced on Tuesday that it will fine the Marriott hotel chain 99.2 million British pounds (123.6 million U.S. dollars) for breaching the General Data Protection Regulation (GDPR).
According to a statement issued by the regulator, the proposed fine related to a cyber incident which was believed to have happened in 2014, but was not discovered until 2018.
The ICO stated that about 339 million guest records were exposed globally, of which around 30 million from 31 countries in the European Economic Area and 7 million related to UK residents.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organizations must be accountable for the personal data they hold.
“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” Denham said.
“Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public,” Denham said.
The ICO noted that Marriott will now have the opportunity to “make representations” to the regulatory body.
This proposed fine came just one day after the watchdog said it planned to fine British Airways 183 million British pounds over a data breach. (1 British pound = 1.25 U.S. dollars)