The U.K.’s privacy watchdog is hitting Marriott International with a $123 million (£99 million) penalty stemming from its 2018 data breach of more than 383 million guest records.
The Tuesday fine is issued by the Information Commissioner’s Office (ICO) and comes only a day after the organization proposed a record $230 million fine against British Airways for its own 2018 data breach. Experts say the dual penalties signal that organizations are increasingly cracking down on company data security incidents under the umbrella of the General Data Protection Regulation (GDPR).
The ICO said its investigation found that Marriott failed to undertake sufficient due diligence when it bought the Starwood properties, and should also have done more to secure its systems: “The GDPR makes it clear that organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said in a statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”