In what can only be described as a record week in General Data Protection Regulation (GDPR) history, the UK Information Commissioner's Office (ICO) has this morning announced its intention to fine Marriott International, Inc (Marriott) £99,200,396 (NZ$187,160,476).
The fine is in response to a colossal cyber hack which exposed approximately 339 million guests' records worldwide over the course of 2014 to 2018, including millions of unencrypted passport numbers and credit card records.
It is believed that the security vulnerability began in the Starwood Hotels Group central reservation system in 2014, before the group was acquired by Marriott in 2016. The ICO's investigation found that "Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems", underscoring the importance of undertaking a thorough due diligence process prior to making an acquisition.
This announcement comes only a day after the ICO notified its intention to impose a record NZ$346.38 million fine on British Airways for a cyber incident which occurred in 2018. More information here.
In a statement this morning, Marriott's CEO Arne Sorenson has expressed Marriott's disappointment with the ICO's proposed fine and has stated that the company intends to contest it.
You can review the ICO's statement here.