Marriott International fined almost £100m by ICO for 2018 data breach
10 July 2019
The Information Commissioner’s Office has announced its decision to fine Marriott International almost £100 million for failing to prevent a massive data breach last year that compromised approximately 383 million data records, of which around 30 million related to residents of 31 countries in the European Economic Area.
The ICO announced its decision to penalise Marriott International shortly after it imposed a staggering £183.39 million fine under GDPR to British Airways for failing to prevent a cyber incident last year that compromised personal and financial information of approximately 500,000 customers.
Back-to-back mega fines issued by the ICO
The ICO’s intent to issue back-to-back fines to global organisations under the year-old GDPR suggests that the fine issued to British Airways was not a one-off case and that large organisations will continue to face stiff fines for failing to strengthen their cyber security credentials.
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” said Information Commissioner Elizabeth Denham.
“Personal data has real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public,” she added.
“With two significant fines on well-known brands in two days, it’s clear the ICO means business. There’s no wriggle room for shortcomings here, so an organisation that fails to adequately protect customer data should prepare for a severe financial penalty. That monetary cost could be crippling for any business, and the knock-on reputational consequences can be just as costly,” says Dan Sloshberg, cyber resilience expert at Mimecast.
“Every business must wake up to its responsibilities under GDPR. That means mitigating cyber threats, as well as taking steps to manage data responsibly and securely. This can’t be a piecemeal effort.
“There needs to be a robust cyber resilience strategy in place that spans key business systems, yet being unprepared is commonplace across the country – 52% of UK businesses still don’t have such a plan in place. Organisations cannot afford to be complacent and must assess whether they are adequately protected,” he adds.
“After handing out a £183m fine to British Airways, it appears as if the ICO is gearing up to unleash the full might of its GDPR-enhanced power, this time on Marriott for breaching 30 million Europeans data.
“While these may seem like large fines, these are in relation to large breaches, and it’s about time that the security of personal information of citizens is given the same level of attention as financial data, if not more,” says Javvad Malik, security awareness advocate at KnowBe4.
Marriott International failed to secure personal data of hundreds of millions of customers
The cyber incident that rocked Marriott International last year involved hackers gaining unauthorised access to the Starwood guest reservation database and copying all information stored in the database. The unauthorised access began in 2014, long before Marriott acquired Starwood and continued until it was detected.
The data breach impacted personal and financial information of millions of people who made bookings at Marriott International’s Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.
While the affected Starwood guest reservation database stored combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account numbers, dates of birth and gender of 327 million guests, it also stored payment card numbers and payment card expiration dates belonging to millions of other guests.
In January this year, Marriott International announced that the unauthorised access gained by unknown hackers compromised no more than 383 million data records that included 8.6 million unique payment card numbers (encrypted), 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.
The Information Commissioner’s Office was notified about the cyber incident by Marriott in November last year, following which it initiated an extensive investigation into the incident. Yesterday, following the completion of the investigation, it announced its intent to fine Marriott International £99,200,396 for failing to prevent the unauthorised access.
According to the ICO, the cyber incident exposed approximately 339 million guest records globally, out of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), and 7 million related to residents of the UK.
“It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems,” it observed.
“The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings,” it added.
Marriott disappointed by the ICO’s decision
Commenting on the ICO’s decision to issue a fine of £99,200,396 against it, Marriott International has said that it will “vigorously defend its position” and will exercise its right to respond before any final determination is made by the ICO.
“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott,” said Arne Sorenson, President and CEO of Marriott International.