Picture: REUTERS
Picture: REUTERS

New York  — The massive hacking of Marriott International  reservation databases could lead to a £99m fine as the UK cracked down on privacy breaches with its second major penalty notice in two days.

The cyber attack, which Marriott disclosed in 2018, exposed information on 339-million guest records, including seven-million related to British residents, the UK Information Commissioner’s Office (ICO) said in a statement on Tuesday. It’s the second time in two days the regulator has taken advantage of far-reaching EU powers after proposing a £183.4m penalty against British Airways.

The proposed fine also highlights an emerging risk in mergers and acquisitions with the ICO blaming Marriott for failing to conduct sufficient due diligence on its acquisition of Starwood Hotels & Resorts. The hack likely took place in 2014 and targeted a Starwood database, two years before the company was acquired by Marriott.

“Organisations must be accountable for the personal data they hold,” information commissioner Elizabeth Denham said in the statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

The ICO said Marriott has cooperated with the regulator’s investigation and has improved its security since discovering the breach last year. The regulatory process allows Marriott to dispute the ICO’s fine, which the company plans to do.

“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott CEO Arne Sorenson said in a separate statement. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect.”

The fine amounts to about 2.4% of Marriott’s total revenue, below the possible maximum of 4% that the ICO could have levied under the data-protection rules, according to Michael Bellisario, an analyst at Robert W Baird. While it’s possible the ultimate amount will be reduced or partially covered by cyber insurance, “we believe investor sentiment toward Marriott could become less positive in the near term”, he said in a note Tuesday.

The ICO fined British Airways after hackers diverted BA’s website traffic to a fraudulent site through which customer details were harvested. BA parent IAG SA said its fine amounts to 1.5% of the airline’s 2017 revenue.

The EU’s General Data Protection Regulation (GDPR), which took effect on May 25, 2018, requires companies to take technical precautions such as encryption to ensure customer data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them. Violations may lead to fines of as much as 4% of a company’s annual sales.

“Taken together, and especially given the basis of this Marriott fine, this is should be a worrying development for any company subject to ICO’s jurisdiction on GDPR,” said Tamlin Bason, an analyst at Bloomberg Intelligence. “The ICO is taking an aggressive stance on breaches.”