British Airways said on Monday it would contest a £183m fine for a similar breach that saw the personal details of 500,000 people compromised.
The Marriot data breach is believed to have affected around 339 million customers globally.
The Information Commissioner’s Office (ICO) said the penalty related to hacking that is believed to have targeted the systems of the Starwood hotels group in 2014 – two years before it was bought by US-based Marriott.
The database breach was not disclosed until last year.
It was also revealed at that time that the FBI was leading an investigation.
The intended fine is the second to go over the previous maximum of £500k – the GDPR allows for up to 4% of global turnover or €20m.
Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
Rachel Aldighieri, MD of the Data & Marketing Association (DMA), comments: “Following the announcement earlier this week, this is the second fine the ICO has issued under the new GDPR laws. As well as the frequency of these this week, the amount of the intended fine shows just how much importance the regulator places on the security of customers’ data and how seriously businesses should take this issue.
“For most businesses, data is its most valuable asset. So consumer trust in how they collect, store and use data is fundamental to building long-term relationships with customers and their willingness to share data.
“The risks to Marriott go beyond the potential fines regulators can issue too, as the long-term effects on customer trust, share price and public perception could have more lasting damage. Data is an essential part of the digital economy, so maintaining its security must be a business imperative.”