Marriott Faces $123 Million Fine For 2018 Mega-Breach
U.S. hotel group Marriott has become the second firm to face a massive GDPR fine as the U.K. regulator continues on its rampage. The hotel group, which suffered a breach last year, could face a fine of over £99 million ($123 million). It shows the global impact of the regulation, which covers the personal data of EU citizens.
In a statement of the regulator’s intention to fine Marriott International, U.K. Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The latest ICO fine comes after U.K. airline British Airways was hit with an even larger penalty of £183 million ($229 million) yesterday. The BA fine was the biggest ever issued by the ICO and the first under the EU Update to General Data Protection Regulation (GDPR).
Before BA, the largest fine issued by the ICO was £500,000. But under GDPR, firms can be fined up to 4% of turnover.
The Marriott breach and GDPR
Marriott was first alerted to the fact it was hit by a cyberattack in September last year, but the incident wasn’t reported until November. It was first thought that a significant 500 million customers were impacted by the breach, which saw its Starwood division’s guest reservation database compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
Then in March this year, more information emerged about the breach after a testimony by Marriott’s Group CEO Arne Sorenson. Sorenson said 383 million guest records and 18.5 million encrypted passport numbers were breached. Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers.
The ICO was notified of the incident by Marriott in November 2018. According to the ICO’s statement, personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
It is believed issues began when the systems of the Starwood hotels group were compromised in 2014, the ICO points out, adding: “Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.
“The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Marriott’s GDPR fine: An appeal?
It’s another major fine, and it is very likely Marriott will appeal the penalty. The company said in a statement that it would contest the fine.
“We are disappointed with this notice of intent from the ICO, which we will contest,” Sorenson said.
The ICO said Marriott has “co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light.”
The ICO investigated the Marriott breach as lead supervisory authority on behalf of other EU member state data protection authorities, liaising with other regulators.
The U.K. regulator said it will “consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision."
Marriott’s GDPR fine: What the future holds
It’s certainly been an eventful week so far, and some industry experts were surprised at how harshly both BA and Marriott were treated by the regulator.
Stuart Peck, director of cybersecurity strategy at ZeroDayLab says he is “surprised” that Marriott’s proposed penalty is lower than BA’s “given the amount of data compromised.”
However, he says: “The ICO is showing that data privacy and protection is to be taken seriously. In particular Marriott–which was compromised for four years before discovering the breach–is being significantly penalized.”
“The ICO is preparing to deal out ‘corrective’ action on a global scale,” agrees Ian Thornton-Trump, security head at AMTrust Europe. “Only time will tell if the GDPR will force the extinction of dinosaur executive boards who paid little heed to the warnings from IT security.”
The proposed Marriott penalty also shows that European firms are not the only ones affected: If a company handles the personal data of anyone residing in the EU, it is liable under the regulation. And when potential GDPR fines are this significant, it is going to impact firms’ bottom lines. “Not having a robust information security strategy for protecting critical informational assets such as personal data is seriously going to hurt bottom line profits,” Peck says.
Thornton-Trump adds: “Change is hard and the old economic models seeing compliance-driven security as being good enough have just encountered a dimensional rift. All of these companies were warned that cyber comeuppance was approaching. Expect more board room carnage to follow.”