"Make no mistake, the European Union devised GDPR and regulation such as the NIS Directive to improve the standard of cyber putting crucial requirements in place to protect consumers, organisations and our critical infrastructure".
"The GDPR makes it clear that organizations must be accountable for the personal data they hold", Information Commissioner Elizabeth Denham said.
Regulators said the Starwood system was compromised in 2014 and hackers had access to customer data over a four-year period. It also said Marriott should have done more to secure its systems.
The regulator said Marriott cooperated with its investigation and made security improvements since the hack was disclosed.
'We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals, ' said Walsh.
Marriott's fine is one of the largest from the British data protection watchdog, which on Monday proposed a record 183.4 million pound ($230 million) penalty for British Airways-owner IAG for the theft of data from 500,000 customers from its website previous year.
"Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset".
Justin Coker, VP EMEA at Skybox Security said that a bigger penalty does seem to be sending a message to any firms operating in the United Kingdom which are lingering in cybersecurity complacency.
The fine amounts to about 2.4 per cent of Marriott's trailing 12-month total revenue excluding cost reimbursements, according to Michael Bellisario, an analyst at Robert W. Baird & Co. The ICO rampage is only a start and should put companies that deal with personal data on high alert.
The proposed fines against British Airways and Marriott International indicate that the ICO is prepared to take a hard line on security breaches that compromise customer information, and to make full use of the powers available to it under GDPR. He said the breach was the result of a criminal attack.
Starwood hotels group's online systems were first compromised in 2014, two years before Marriott acquired it. Guests who made a reservation with any Starwood hotels on or before September 10, 2018, could be affected.
"People's personal data is just that - personal".
Class-action lawsuits started piling on hours after Marriott announced its security breach.