The Information Commissioner’s Office (ICO) has issued a fine to Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. The fine does not come as a surprise as it follows a Notice of Intent, issued in July 2018. The amount of £18.4 million though is much lower than the £99 million set out in the notice.
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
The Cyber Attack
In 2014, an unknown attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network.
With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
The ICO acknowledged that Marriott acted promptly to contact customers and the ICO.
It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the Security Principle (Article 5(1)(f)) and Article 32 (Security of personal data). The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014.
Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.
It is also essential that DPOs have a good understanding of cyber security. We have some places available on our Cyber Security for DPOs workshop in November.
The Information Commissioner, Elizabeth Denham, said:
“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Marriott said in statement:
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
Marriott has also said that it does not intend to appeal the fine, but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.
This is the second highest GDPR fine issued by the ICO. On 16th October British Airways was fined £20 million also for a cyber security breach. (You can read more about the causes of cyber security breaches in our recent blog post.) The first fine was issued in December 2019 to Doorstep Dispensaree Ltd for a for a comparatively small amount of £275,000.