Marriott takes $126m GDPR charge over Starwood hotel reservation system data breach
Marriott has set aside the cash to cover an anticipated £99m fine under GDPR for its November 2018 security breach
Marriott has taken a $126 million charge in the latest quarterly results to cover an anticipated £99 million GDPR fine over its November 2018 data breach.
It comes just a month after the Information Commissioner's Office (ICO) announced its intention to impose the fine under the European Union's General Data Protection Regulation (GDPR) for the 2018 data breach in its Starwood hotels reservation system.
The ICO claimed that Marriott failed to take timely steps to secure its systems after buying Starwood in 2016. Following the ICO's announcement in July, Marriott said that it would contest the ruling.
In November 2018, Marriott disclosed that a security breach in its Starwood reservation database exposed records of about 383 million guests, including their credit card and passport details, as well as when and where were those people travelling and with whom. The data breach started in 2014 and continued for four years until Marriott detected it in November 2018.
Marriott admitted that the attackers were able to access the reservation database of Starwood properties, which included hotel chains Westin, St. Regis, Sheraton, Aloft, W Hotels, Le Meridien, and Four Points.
Marriott had earlier kept Starwood's reservation databases separate from its own until 2018. The breach did not affect the reservation system of the Marriott Hotels brand.
Nearly seven million of the affected users in the breach were from UK, while 30 million were residents of 31 countries in the European Economic Area.
The finger of blame for the data breach has been pointed at China's Ministry of State Security.
The world's largest hotel chain is currently facing the impact of weakening business travel due to a slowdown in global economic activity. The company reported on Monday that its second quarter profit fell 65 per cent to $232 million, or 69 cent per share.