Another day another (hundred million) dollar for the ICO…
The Information Commissioner’s Office (the “ICO”) has this afternoon announced its intention to fine Marriott International (“Marriott”) £99,200,396 (US$124 million) for breaches of data protection… Read more
The Information Commissioner’s Office (the “ICO”) has this afternoon announced its intention to fine Marriott International (“Marriott”) £99,200,396 (US$124 million) for breaches of data protection law.
The data breach
The issue dates back to 2014 when the guest reservations database of another hotel group, the Starwood group, was initially compromised. The Starwood group was subsequently acquired by Marriott in 2016 in a deal worth US$13.6 billion, but the vulnerability in the system was not uncovered until two years later.
In November 2018, Marriott publicly announced that the records of up to 383 million customers had been involved in a data breach. An investigation revealed that a cyber attack had left customer records exposed in 2014. Since then attackers had been able to access the Starwood network. The investigators found a Remote Access Trojan (RAT) on the Starwood systems, which allowed hackers to covertly access and gain control over a computer. It was later revealed in January 2019 that five million unencrypted passport numbers had been stolen, in addition to the more than 20 million encrypted passport numbers already identified. 8.6 million unique payment card numbers were also taken.
ICO’s notice of intention
Although Marriott was quick to act once the breach came to light, for example by setting up a dedicated website and free helpline to provide information to affected customers and offering them a fraud detection service, this doesn’t seem to have been enough by way of mitigation for the ICO. In particular, other aggravating factors seem to be significant, not least the nature of the data at issue and the four-year gap between the exposure of the records and the discovery of the breach. In particular the ICO highlighted the importance of conducting proper due diligence when making corporate acquisitions, stating that “personal data has a real value, so organisations have a legal duty to ensure its security, just like they would do with any other asset”.
This is the second intended fine announced by the ICO in as many days following a relatively quiet first year since the implementation of the General Data Protection Regulation (“GDPR”) last May. Under the GDPR the ICO has the power to issue a fine of up to 4% of the company’s annual global turnover for the previous year. Based on a global turnover in 2018 of around US$20 billion, this fine amounts to approximately 0.6% for Marriott. Equally a significant amount of the breach occurred pre GDPR implementation.
Marriott’s response and next steps
Responding to the notice of intention from the ICO, Marriott’s President and CEO Arne Sorensen said “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
Marriott now has 28 days in which to appeal the ICO’s intention by making representations to the regulator about the findings of the investigation and the amount of the proposed fine. The ICO will liaise with data protection regulators across EU member states in which affected Marriott customers reside. The global nature of this breach also makes it significant as demonstrated by the fact that as of March 2018, at least five US states were also investigating the breach.
As the ICO identified in its notice, Marriott’s main downfall was not conducting sufficient due diligence to identify the malware on Starwood’s systems, particularly as the initial breach occurred two years prior to the acquisition. It has similar aspects to the headline grabbing Talk Talk breach that occurred pre GDPR. As cyber-attacks become more commonplace and cyber attackers more sophisticated, corporate M&A activity must adapt to take into account the significant risks that buying data (or companies that hold data) can have for the buyer further down the line. Companies will also need to carefully review their entire digital infrastructure base upon any acquisition, including cyber security measures. While both British Airways and Marriott have reported that they were the victims of sophisticated criminal activity the ICO seems to be indicating that notwithstanding that, it was ultimately poor security practices that led to the breach.
As for the ICO, what the past two days have shown is that it is not afraid to flex its muscles when it comes to issuing significant fines which has garnered significant media attention. However, it remains to be seen whether the level of these fines will be upheld based on submissions received during the 28-day period. What is clear is that whilst many hoped that GDPR could be put lower down the priority list after the compliance work undertaken last year, it is now likely to remain a Board level issue and one which requires continuous compliance and improvement given the nature of data breaches and cyber attacks in this day and age.