The UK Information Commissioner’s Office (ICO) has fined hotel company Marriott £18.4m under the General Data Protection Regulation (GDPR) over the 2014 cyber attack on its Starwood chain that saw 393 million customer records compromised. The revised fine is an 81% reduction on the initial sum of £99m.
The latest reduction comes just a fortnight after British Airways succeeded in arguing a £183m data protection fine down to £20m, reflecting the steps the airline subsequently took to rectify gaps in its security posture, as well as the impact of the Covid-19 pandemic. The ICO said today that the reduction in Marriott’s fine also reflected these factors.
The ICO said Marriott had acted promptly to contact customers and notify the authorities once it became aware of the problem and has since implemented more appropriate security measures.
“Personal data is precious and businesses have to look after it,” said information commissioner Elizabeth Denham. “Millions of people’s data was affected by Marriott’s failure. Thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The 2014 incident at Starwood lay undiscovered until November 2018, and was the result of a relatively trivial compromise by cyber criminals, who injected web shell code onto a device on Starwood’s network, which they used to install a remote access trojan (Rat) and gain full access as a privileged user.
They then installed and executed the Mimitatz post-exploitation tool to gather legitimate credentials and from there, access and exfiltrate Starwood’s customer reservation database.
The data included names, email addresses, phone numbers, unencrypted password numbers, arrival and departure information, and loyalty programme status. About seven million of the affected data points related to UK nationals.
The attacker retained access to data on Starwood’s network for nearly four years, through the acquisition of the chain by Marriott in 2016, although its network remained segregated from Marriott’s throughout the integration process.
They were uncovered when they performed an action on the database on 7 September 2018, which triggered a Guardium alert to Accenture, to whom the management of Starwood’s reservation database was outsourced, which informed Marriott.
The ICO judged that between 25 May 2018, when the GDPR came into force, and 17 September 2018, when Marriott’s investigation identified and blocked the Rat, the hotel chain had failed to comply with Articles 5(1)(f) and 32 of the GDPR by failing to process personal data in a manner that ensured appropriate security.
A Marriott spokesperson said: “Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations. As the ICO acknowledges, Marriott cooperated fully throughout the investigation.
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognises. The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.
“Marriott wants to reassure guests that the incident and the ICO’s decision involved only Starwood’s separate network, which is no longer in use.”
Mishcon de Reya partner Adam Rose said the ICO’s latest decision appeared to put an “inordinate” strain on the buyer of a company. “With all its due diligence and warranty protections, Marriott did not uncover the data breach, not least because Starwood didn’t know about it. This sort of decision does little to protect individuals or to help successful businesses grow through acquisition: Marriott did all that it reasonably could when making the acquisition, but is now facing a large, albeit reduced, fine,” he said.
Ann Bevitt, partner at law firm Cooley, commented: “As with the BA fine, this was a long time coming – the ICO indicated that it was intending to fine Marriott £99m in July 2019 – and the final fine is significantly less than that originally proposed.
“Whether a second significantly-reduced fine will be welcomed as another example of ‘pandemic pragmatism’ and encourage organisations to be less robust with their adherence to the GDPR remains to be seen.”
Judy Krieg, partner at Fieldfisher, added: “It is becoming abundantly clear that the anticipated GDPR mega fines for cyber breaches (at least for cyber breaches) are not coming to fruition. That said, Marriott, like British Airways, has felt significant effects of Covid-19 and the figure has not come out of thin air, so we can only speculate as to what was factored into the ICO’s calculations.”