The Marriott data breach included 30 million guest records belonging to Europeans.
The breach dates back to 2014, when Starwood hotels group was hit by an attack on its systems. The ICO says Marriott should have taken additional measures to bolster security and that it should have done so sooner.
The ICO says Marriott's security practices and procedures failed to protect personal information.
The regulator added that organizations have a "legal duty" to ensure the security of customers' personal data.
The ICO noted that Marriott will now have the opportunity to "make representations" to the regulatory body. Companies that breach the law can be fined up to 4% of their annual revenue.
Any organization that holds or uses data on people inside the European Union is subject to the rules, regardless of where it is based. "It can not just be a paper drill", he said. "If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public", Denham said.
"We are focused on identity access management, which means a broader deployment of two-factor authentication across our systems, as well as network segmentation, which means isolating the most valuable data so that it becomes more hard for attackers to access the systems and for malware to spread through the environment", Sorenson said in that testimony.
The ICO has been investigating the case as lead supervisory authority on behalf of other EU Member State data protection authorities.More news: CAD Drops as Bank of Canada Flags Concerns Over Trade Wars
More news: India vs New Zealand - Highlights & Stats
More news: Military chief: British seizure of Iranian oil tanker 'won't go unanswered'
The hotel chain released a statement Tuesday saying it would contest the fine. Personal data from 339 million guest records (30 million European citizens and 7 million United Kingdom citizens) was exposed in the incident.
Starwood hotels group's online systems were first compromised in 2014, two years before Marriott acquired it. Guests who made a reservation with any Starwood hotels on or before September 10, 2018, could be affected.
Marriott said the Starwood guest reservation system was retired earlier this year.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
British Airways could face a heavy fine because of a large data breach involving hundreds of thousands of customers having their financial data exposed in 2018. On Monday, the watchdog announced its intention to fine British Airways $230 million in relation to a 2018 data breach.
"Yesterday's £183m and today's £99m fines have solidified GDPR as a very serious piece of legislation, and one that is putting an organisation's cyber security challenges and budget into an entirely new context". While specific customer information was kept safe-like travel dates and passport information-the airline initially suggested that those who fear they were impacted reset their bank and British Airways account information.
"We are surprised and disappointed in this initial finding from the ICO".