After getting sued last year over a years-old data breach, the Information Commissioner's Office (ICO) is fining the US hotel chain £99.2m, which has been bolstered by the newly introduced General Data Protection Regulation rules (GDPR).
A class action lawsuit was filed earlier this year after the Marriott admitted that its Starwood reservation system had been breached, and it was a doozy; around 339 million guests' details were leaked, with 30 million of those being European visitors.
"We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database," said Sorenson, Marriott International's president.
"We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."
Obviously, the Starwood system is no longer being used, but the ICO lays the blame at the feet of hotel chain for not doing the proper due diligence with the system.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said the ICO's Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
The ICO recently went after British Airways following the airlines data breach, fining it a whopping £183m.
Both companies will likely do all they can to wriggle out paying the fines.