Renowned hotel chain Marriott International has been fined £18.4 million by the ICO over a data breach which is estimated to have affected around 339 million customers across the globe. The fine originally proposed by the ICO has been reduced from the £99 million announced in its notice of intent to fine in July last year. Much like British Airways’ recent fine for GDPR infringements, the final figure represents a significant reduction in the original fine proposed by the UK regulator.

A cyber attack, from an unknown source, affected the systems of the Starwood hotels group in 2014 but was not detected until September 2018, two years after Starwood was acquired by Marriott. The attacker was able to infiltrate Starwood’s systems by using a piece of code known as a ‘web shell’ on a company device. This was further exploited to install malware, giving them remote access to the company’s systems as a privileged user. With these credentials, the attacker accessed and exported personal data including names, e-mail addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status, credit card details and loyalty programme membership numbers.

The ICO took on the EU investigation as the lead supervisory authority and pursued penalties relating to breaches from 25 May 2018, when GDPR rules came into effect across all Member States. The ICO’s investigation found that there were failures by Marriott to put appropriate technical and organisational measures in place to protect the personal data being processed on its systems as required by GDPR.

There were several aggravating factors taken into account by the ICO in the proposed penalty notice issued to Marriott. The size, profile and nature of Marriott’s business (i.e. involving processing of large volumes of personal data) were all noted as reasons they should have been alert to the fact they would be a target for such attacks. The inconsistent use of multi-factor authentication and encryption across Marriott’s databases was considered negatively. Furthermore, the ICO pointed to insufficient monitoring of both privileged accounts and the databases themselves. Finally, they suggested the use of whitelisting, a method of introducing increased role specific access controls, as an example of action Marriott could have taken to secure their network. The regulator focused heavily on the National Cyber Security Guidance, “10 Steps to Cyber Security”, in their assessment.

As part of the representations made by Marriott to the ICO in respect to the proposed penalty notice, the following points were considered as mitigating factors and helped contribute to the reduction of their fine. Upon discovery of the breach, Marriott swiftly initiated their ‘Incident Security and Privacy Response Plan’ and disclosed the breach to the ICO. Marriott quickly introduced remedial measures to address their security vulnerabilities and to protect the interests of data subjects, an example being their dedicated helpline for those affected. Their cooperation with the regulator and their previously clean record were also noted as considerations in their favour. Finally, the ICO applied a further reduction due to the financial impact of COVID-19 on the hospitality industry.

The Information Commissioner Elizabeth Denham commented: “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset”. As such, the ICO made no distinction between the compromise of, for example, e-mail addresses and individuals’ cardholder data. Further still, Marriott were not successful in reducing their liability by emphasising their inheritance of these systems – the legal position being that there is an ongoing duty to ensure the safety and security of people’s data under GDPR, regardless of mergers or acquisitions. Neither were they allowed to rely on the outsourcing of their security processes to Accenture, their third party provider, as they were considered the ultimate data controller.

Much like in the BA case, Marriott avoided the full brunt of the ICO’s potential enforcement penalty. The ICO has clearly refined its thinking and approach to monetary penalties since issuing its proposed fines to BA and Marriott in 2019. In this regard, it is worth bearing in mind that just last month the ICO launched a consultation on its “Statutory guidance on our regulatory action” and the ICO will have been keen to ensure that the fines issued to both BA and Marriott were not out of kilter with its proposed statutory guidance on penalty notices.

As with any data breach there are additional matters to consider. Marriott still has to contend with a class action lawsuit filed at the High Court of England and Wales by millions of former guests demanding compensation.

How can we help?

For further information on data breaches and potential liabilities under UK data protection law, please don’t hesitate to get in touch with a member of our specialist GDPR & Cyber Security team.