The UK data protection watchdog has fined Marriott International Inc £18.4m after the hotel chain estimates some 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018; the company was acquired by Marriott in 2016.
The personal data involved differed but was encrypted and unencrypted; and may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number, according to the Information Commissioner’s Office (ICO). As for how many people affected it’s unclear as there may have been multiple records for a guest. Seven million guest records related to people in the UK, out of 30m in Europe.
Marriott stated to the ICO that it was only able to carry out ‘limited’ due diligence on the Starwood data processing systems.
While the attack did not involve access to the wider Marriott network, the ICO found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the EU-wide General Data Protection Regulation (GDPR), which came into force in May 2018. The ICO acknowledged that Marriott acted promptly to contact customers and the regulator. The US-based hotel firm also acted to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems, the ICO added.
Information Commissioner Elizabeth Denham said: ”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The ICO traced the cyber-attack back to 2014, but the penalty only relates to the breach from May 2018, when new rules under the GDPR came into effect. Because the breach happened before the UK left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.
More details from the ICO on its website.
Comments
Kate Bevan, consumer advice campaign group Which? Computing editor, said: “It’s positive to see the Information Commissioner’s Office showing its teeth and sending a clear message to companies that it is unacceptable to play fast and loose with people’s personal data. However, our research earlier this year suggested that Marriott had not learned lessons from previous data breaches and still had serious vulnerabilities on its websites that could leave customers exposed to opportunistic cybercriminals.
“Some people will be frustrated if they’ve suffered financially and emotionally from this data breach but had no redress. The government should provide a much clearer route to this by allowing for an opt-out collective redress regime that deals with mass data breaches.
“Any consumers worried that they could have been affected by a data breach should change online passwords that might have been compromised and, where possible, enable two-factor authentication. They should also monitor bank and other online accounts as well as their credit report to guard against potential identity fraud.”
Ilia Kolochenko, Founder and CEO of web security company ImmuniWeb, said that compared to the ICO’s ‘notice of intent‘ in 2019 to fine Marriott £99m, the penalty seems to be strongly adjusted to the pandemic crisis. “The attack had actually happened in 2014, and was disclosed four years later – when GDPR was already enforced, potentially raising questions about retroactive application of the law. Thus, the decision seems to be pretty fair and adequate in view of the circumstances.
“This present case, however, may disincentivise some organisations, hit by the spiralling pandemic, in investing in cybersecurity and data protection. We already observe some industries freeing their cybersecurity budgets and laying off security personnel. Such “savings” may result in disastrous data breaches, harsh financial penalties by several state agencies, and trigger multi-million lawsuits and class actions from the victims.
“I respectfully disagree with some experts who say that GDPR becomes toothless, but the signal is clear – the application of penalties under GDPR may, and likely will, depend on the financial conditions of a breached company. This makes a lot of sense but may eventually diminish or even nullify the deterring purpose of GDPR.”
And Dr Francis Gaffney, Director of threat intelligence at cybersecurity firm Mimecast said: “Regulations are not just something that organisations have to comply with, they should encourage improved behaviours and best practice. Too often, regulation is viewed as a burden, but organisations should start to view it through the lens of their customers, partners, or employees. If a customer trusts you with their data, you owe it to them to protect it and ensure it is safe. Many organisations are having to pay financial penalties for such data breaches and it is only afterwards that the cost of a breach now outweighs the potential savings from not investing in security and data management solutions.
“Furthermore, it is often the case that the damage to the organisation’s reputation and branding dwarfs the fine imposed. This breach is particularly worrying, as it went undetected for a number of months and a lot of personal data could have been exposed. More widely, data from individual breaches is capable of being aggregated with information from other, unrelated breaches, to perform credential stuffing attacks against an individual’s online accounts.”
