The UK Information Commissioner’s Office (ICO) has announced it intends to fine Marriott International over a security breach that exposed the personal information of guests in the Starwood reservations database since 2014. The intended fine amounts to £99,200,396, or approximately $123,500,000.
In a written statement Marriott said that it has the right to respond before any final determination is made and a fine can be issued by the ICO, and that it will “respond and vigorously defend its position.”
“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott President and CEO Arne Sorenson. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
Marriott also said that the Starwood guest reservation database that was attacked is no longer used for business operations.
Marriott first announced the hack on November 30, 2018. It affected the personal information of customers, including passport and credit card numbers, in its Starwood reservations database, which it had acquired during the Starwood – Marriott merger in 2016. The database included the Starwood brands W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana) were also included.
In its most recent update, released earlier this year, Marriott estimated that approximately 383 million guest records, at most, were involved in the incident. The actual number of guests was lower, Marriott said, because in many cases there were multiple records for the same guest. The company also said that approximately 5.25 million unencrypted passport numbers were exposed, as well as approximately 20.3 million encrypted passport numbers.
Following the incident Marriott established a website with information for guests who believe they may have been involved in the incident, with phone numbers to reach the company’s dedicated call center. That website is available at https://info.starwoodhotels.com/.