The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123 million) fine for a data breach that exposed up to 383 million guests.
Marriott revealed last year that its acquired Starwood properties had its central reservation database hacked, including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018. Marriott later pulled the hacked reservation system from its operations.
The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
The breach affected about 30 million residents of the European Union, according to the ICO, which confirmed the proposed fine in a statement Tuesday.