By Parmy Olson
LONDON -- Marriott International Inc. faces a potential GBP99.2 million ($123.6 million) fine from the U.K.'s privacy watchdog over a consumer-data breach, as the regulator raises pressure on businesses to comply with Europe's data-protection rules.
The fine -- related to a huge breach of the Starwood Hotels guest reservation database -- comes a day after the same regulator, the Information Commissioner's Office, proposed a record $230 million fine against British Airways for failing to protect passenger data after a hack last year.
Marriott said it would contest the ruling and that it was cooperating with the regulator.
Europe's privacy rules, known as General Data Protection Regulation, or GDPR, aim to hold companies accountable for safeguarding personal data. National regulators are tasked with enforcing the rules and can fine companies up to 4% of their annual sales for violations.
Until this week, most fines have typically amounted to less than $1 million. The proposed fine against Marriott represents 2.5% of the company's total revenue excluding cost reimbursements. The proposed fine against British Airways amounted to 1.5% of the airline's revenue. Parent company International Consolidated Airlines Group SA also said it would fight the ruling.
The ICO said Marriott hadn't conducted proper due diligence when it bought Starwood in 2016. Two years before the acquisition, hackers breached Starwood's systems, exposing 339 million guest records; some 30 million belonged to people living in Europe. The breach wasn't discovered until 2018, the same year GDPR was introduced.
The incident was one of the biggest data breaches in history, alongside the hacks of Yahoo Inc. in 2013 and 2014, which were disclosed years later. The breach exposed passport details and payment-card numbers at 54 locations and occurred over eight months.
The world's largest hotel company notified regulators of the incident in November 2018. The ICO said on Tuesday that Marriott "should also have done more to secure its systems."
Marriott, which is the parent of hotel brands including Ritz-Carlton, Westin and Renaissance, has said it no longer uses the Starwood database that was attacked.
"Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database," the hotel group's Chief Executive Arne Sorenson said.
Although Marriott is based in Bethesda, Md., a European Union body tapped the U.K. watchdog to investigate the breach. Marriott now has the right to respond before the regulator formally issues its fine, which could take up to 16 weeks, an ICO spokeswoman said. The regulator has other investigations pending, she added.
Information Commissioner Elizabeth Denham said companies had a legal duty to ensure the security of personal data, just like other assets. "If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public," she said.
Marriott has been under pressure from slowing revenues and labor strikes. The company has also said it incurred $44 million of expenses related to the Starwood breach.
Separately, the District of Columbia is suing Marriott for allegedly charging hidden fees ranging from $9 to as much as $95 a room.
Prosecutors claim the hotelier has tacked resort fees, amenity fees or destination fees on top of advertised room prices in at least 189 properties world-wide, according to a complaint filed Tuesday by D.C. Attorney General Karl Racine.
A Marriott representative declined to comment on the lawsuit, which is part of a broader probe by attorneys general in all 50 states and the District of Columbia into the hotel industry's pricing practices.
--Colin Kellaher and Patrick Thomas contributed to this article.
Corrections & Amplifications
This article was corrected on Aug. 2, 2019 to clarify that a proposed U.K. fine against Marriott International Inc. in relation to a consumer-data breach represents 2.5% of the company's total revenue excluding cost reimbursements. An earlier version said only that it was 2.5% of global revenue without specifying that it is revenue excluding cost reimbursements.