Marriott is paying the price for exposed data. Literally.
The company's data breach in 2018 leaked 339 million guest records, and Marriott now faces a £99,200,396 fine for violating the General Data Protection Regulation (GDPR).
That's roughly $124 million in US dollars.
The cyber incident related to Marriott's purchase of Starwood Hotels group, which was compromised in 2014. But Marriott didn't discover the exposure until four years later, which EU regulators call a failure.
The Information Commissioner's Office (ICO) reported its findings:
"The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems."
And Information Commissioner Elizabeth Denham was direct in her support for the fine against Marriott:
"The GDPR makes it clear that organizations must be accountable for the personal data they hold. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
The second GDPR fine this month
If you thought $124 million was steep, that number was actually modest compared to another GDPR fine.
Earlier this month, the ICO announced a fine against British Airways for its data breach, which was even more severe.
British Airways is facing a $228 million fine for a data breach that apparently violated the requirements of Europe's GDPR.
Hundreds of thousands of British Airways customers had their personal information harvested by hackers in 2018 when traffic was diverted to a fake British Airways site.
These GDPR fines are sending a message to companies: improve data protection or else.