The data breach that cost Marriott £18.4 million – what went wrong?

Philippa DonnNovember 2020

The humongous penalty train keeps rolling – after the £20 million fine for British Airways for GDPR violations, the Information Commissioner’s Office (ICO) has slapped an £18.4 million fine on Marriott International Inc.

In its ruling, the ICO says Marriott made multiple failures in its technical and organisational measures for protecting personal data. The case also highlights how when a business acquires another company it becomes accountable for past as well as present compliance.

An estimated (and staggering) 339 million guest records were affected worldwide, following the 2014 cyber-attack on Starwood Hotels and Resorts Worldwide Inc. It’s estimated 7 million of those affected were UK citizens.

Starwood was acquired by Marriott in 2016, and the attack went undetected until September 2018. The ICO has stressed its ruling relates to infringements after GDPR came into force in May 2018.

As the data breach was notified before Brexit, the ICO was able to act as lead supervisory authority, charged with investigating the breach on behalf of all affected EU citizens.

The penalty was signed-off by other EU data protection authorities, under GDPR’s one-stop shop mechanism for cross-border cases. Moving forward post-Brexit, the UK will no longer be part of the one-stop mechanism.

Why was the fine reduced?

In its original ‘Notice of Intention’ to fine in July 2019, the ICO set the figure at an eye-watering £99 million. The Regulator says this amount was reduced taking several factors into consideration;

Marriott’s representations to the ICO
The action the hotel group took to mitigate the breach’s impact
The economic impact of the COVID-19 pandemic

There are some rumblings the pandemic may be proving a handy ‘excuse’ for the ICO; COVID-19 was also cited in the reasons for reducing the British Airways fine.

This begs the question – did the ICO significantly over-estimate in their initial notices, or are they being kind-spirited due to the current financial and operating climate?

What went wrong for Marriott?

In 2014 unknown hacker(s) installed code onto a device in the Starwood systems. This gave them the ability to edit the contents of the device remotely.
This was exploited to install malware, giving the attacker privileged access. The attacker had unrestricted access to connected devices across the Starwood network. The attacker then continued to install further tools, enhancing the malicious access.
In 2016 Marriott acquired Starwood. The ICO’s ruling reveals Marriott was only able to carry out limited due diligence of Starwood’s data processing systems and databases prior to acquisition (those with acquisition experience will know how challenging robust due diligence can be).
In September 2018, the attacker made a move which finally tripped an alert. They exported a table which contained card details on which a security trigger had been set. Such alerts were not in place to automatically trigger on other data sets accessed – for example passport details.
Marriott notified the ICO and affected individuals in November 2018 after becoming ‘aware’ of the nature of the breach.
The data exfiltrated by the hacker(s) affected data included names, email addresses, phone numbers, passport numbers, arrival and departure information, VIP status and loyalty program information.

72-hour data breach notification rules

You may note there was a significant time delay between the trigger being fired in September on Starwood’s systems and Marriott’s notification to the ICO in November.

As part of its representations Marriott challenged the ICO’s initial finding that the 72-hour breach notification rules had been infringed (GDPR Article 33).

This comes down to when a controller can be judged to be ‘aware’ a personal data breach has occurred.

In its final ruling ICO found Marriott was incorrect to claim that;

“The GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the Commissioner. Rather, a data controller must be able to reasonably conclude that it is likely a personal data breach has occurred to trigger the notification requirement.”

However, in ‘this particular case’ taking into account Marriott’s representations the Commissioner decided to make a finding that Marriott had NOT breached the notification requirements.

Key ICO findings

At a top-level there are four key findings in the ICO’s ruling. It’s worth remembering the ruling applies to the period post 25 May 2018, despite historic pre-2018 concerns.

Insufficient monitoring of privileged accounts
There was a failure to put in place ongoing network and user activity monitoring. The ICO says Marriott should’ve been aware of the need to have multiple layers of security.
Insufficient monitoring of databases
Failure to implement server hardening – the vulnerability of the server could’ve been reduced, for example, through whitelisting.
Lack of encryption – for example, passport details were not encrypted.

If you are interested in the full details, you can read the full ICO Marriott ruling.

The ICO references the National Cyber Security Guidance: 10 steps for Cyber Security, which is a useful resource for any business wanting to make sure their cyber sec is robust.

There’s little doubt the attack Marriott suffered was sophisticated, but the ICO says their investigation revealed how the hotel group failed to put in place appropriate security measures to address such attacks and other identifiable risks to their systems.

Impact on individuals

In its ruling the ICO ruling took into account the nature of the personal data breached.

Despite assurances given and mitigating steps taken by Marriott, the Regulator concluded it was likely some of the affected individuals will, depending on their circumstances, have suffered anxiety and distress. The Ruling also specifically calls out the duration of the breach, lasting as it did a period of 4 years.

What can we learn from this data breach?

The number of people affected, the nature of the data maliciously accessed, the potential distress caused and the size and profile of Marriott… all of these will have played a part in the £18.4 million fine. This is a scalable problem – but for every business cyber security needs to be a priority.

When acquiring a company, due diligence is crucial prior and post-acquisition, but this must be an ongoing process, not a one-off activity.

The fine’s just the tip of the financial iceberg. Marriott will have spent a significant amount on rectifying the breach and mitigating the impact for affected individuals, before we even contemplate the cost of complex and protracted legal representation.

Alongside this hefty financial hit, the hotel group also faces a class action lawsuit from customers who are seeking compensation. If successful, this could prove even more costly.

It’s worth noting the fine would’ve been higher if Marriott hadn’t proactively sent email communications to affected customers, created a data breach website and set up a call centre to provide a data breach hotline.

It’s often said, because it’s true, you can’t underestimate how crucial it is to be prepared for a data breach. Making sure you have a robust (and tested) data incident plan, being able to effectively and quickly assess the risk posed, plus having a pre-prepared communications strategy and measures to support those affected.

Commenting on the fine, the UK’s information commissioner Elizabeth Denham said;

“Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Marriott says they remain committed to the privacy and security of their guests and is continuing to make significant investments in security measures for its systems. Marriott has not admitted liability for the breach, but has indicated it won’t appeal.

Need extra support and advice? We can support with your data incident planning and procedures. Get in touch – we can also provide rapid support should you suffer a data incident which requires effective and quick investigation.

British Airways data breach – what can we learn?

Simon BlanchardOctober 2020

We’ve finally heard the UK Information Commissioner’s Office (ICO) has fined British Airways £20 million for failing to protect personal and credit card data in their 2018 data breach. A breach which affected more than 400,000 BA customers and staff.

A final decision on this has been expected for some time, we just didn’t know what the figure would be until now. The amount is a fraction of the £183 million initially announced in the ICO’s notice of intention to fine. After considering BA’s representations and factoring in the economic impacts of COVID-19 it has been significantly reduced. But it’s still an eye-watering sum, in fact, the largest fine issued by the ICO.

What are the key lessons other businesses can learn from BA’s painful experience?

Information security must be taken seriously at Board level

Modern businesses rely on data more and more to provide quality services for customers and to create competitive advantage. However, the risks to personal data are numerous, varied and ever-changing. A data breach can massively harm a business’s reputation with its customers, staff and with the world at large.

It’s often said that with power comes responsibility, so businesses need to recognise their roles as guardian and protector of the personal data of their customers and employees. We have to deliver on the promises we make, for example, in our privacy notices. Any steps your business can take to properly protect personal data and demonstrate to staff and the public how seriously you take data protection will help protect them from harm and also may help you to stand out from competitors in these tough times.

Boards need to show leadership by insisting on a strong and vigilant information security regime. I guess that means they need to be prepared to fund it too! It also means asking tough questions about the levels of data protection in place across the organisation.

Rachel Aldighieri, MD of the Data & Marketing Association (DMA), believes this is a wake up call;

“Brexit and coronavirus have put businesses under immense financial strain. A fine of this magnitude will certainly get the attention of Board members of organisations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO. This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.

“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers. This message should resonate with businesses now more than ever.”

Security measures must not only be ‘adequate’ but also checked and verified

The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker accessing their network.

Martin Turner, Managing Director at cybersecurity specialists Full Frame Technology, believes BA missed the basics:

“As with so many serious data breaches, this one was caused by a failure to adopt the most basic security measures, including limiting access to applications, rigorous cybersecurity testing, and protecting accounts with multi-factor authentication.

Login credentials for a domain administrator account were stored in plain text. Software code wasn’t reviewed effectively. These are issues that a cybersecurity audit should have revealed, and BA has yet to explain why this didn’t happen.”

The ICO has (finally) shown us it has teeth!

Could this be a turning point? It’s been a long time coming and many expected it to happen much sooner. The ICO have finally issued a BIG fine more in keeping with the expectations most of us had when GDPR came into force.

Nevertheless, you might feel the ICO has shown a measure of pragmatism, reducing the fine down so much from the original £183m. But it’s not great timing for any business to suffer a body blow like this.

It will be interesting to see what figure the ICO finally decide to fine Marriott International for their Starwood data breach, which first came to our attention around the same time as BA. The ICO’s original ‘intention to fine’ for Marriott was £99 million.

Should we think again about data breach insurance?

You might be thinking afresh about breach insurance. We’d suggest you shop around and pay attention to the fine print, as data breach insurance policies can vary more than you might imagine.

Don’t just look at the price as no two policies are the same and there is little consistency in the way policies are worded. The levels of cover and features on offer can vary significantly. Keep an eye out for exclusions!

One key differentiator you may wish to delve into is the level of support your insurer will provide in the event of a breach or a cyber attack. Do they have a team of specialists in place who will advise and help you to triage a live situation? This is one area where you might get just what you pay for.

This fine was long anticipated and the pandemic has definitely played its part in reducing the final amount. The travel sector has been badly impacted by COVID and £20 million will hit BA hard. BA may decide to appeal against it. It goes to show how important it is to have robust data protection and security measures in place.