We first published this note on 30 October 2020 and we have updated it since to take into account additional developments in the case
Introduction
The ICO has finally imposed a fine (its second highest so far) on Marriott International Inc. (Marriott) of £18.4m for a data breach affecting Starwood Hotels and Resorts Worldwide Inc. in 2014. Marriott subsequently acquired its competitor Starwood and was left carrying the can for the legacy security vulnerabilities that it inherited.
This matter is hot on the heels of the recent multi-million pound British Airways fine (https://www.corderycompliance.com/is-ba-fine-in-departure-lounge/). Both of these decisions had been significantly delayed and, like in the BA case, Marriott received a significant reduction from the proposed fine in the ICO’s initial Notice of Intent, which here was £99.2m. (Read more about the original Notice of Intent here https://www.corderycompliance.com/ico-intention-to-fine-marriot-99-million-for-data-breach/.)
Despite the reduction, the case is still a salutary lesson regarding the need to prioritise security and, in particular, the importance of doing thorough due diligence in acquisitions wherever possible.
What went wrong?
Marriott estimates that 339m guest records worldwide were affected following a cyberattack in 2014 on Starwood. Apparently the attack remained undetected until September 2018, by which time the company had been acquired by Marriott.
This was a multi-stage attack which was believed to have started with the installation of a “web shell” (a malicious web-based program enabling remote access and control of a server) and progressed over a number of years with the introduction of additional malware. It is still unclear who was behind the attack.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership numbers.
The precise number of people affected is unclear as there may have been multiple records for some guests. Seven million guest records related to people in the UK.
The ICO’s investigation found that there were multiple failures by Marriott to put appropriate technical or organisational measures (TOMs) in place to protect the personal data being processed on its systems, as required by GDPR.
What did the ICO do?
The ICO investigation has been long-running and substantial. Even though the breach occurred prior to GDPR coming into effect, this is a fine under GDPR. The ICO says that the penalty only relates to the breach from 25 May 2018, when new rules under GDPR came into effect. This enforcement approach was likely taken because the effects of the breach continued to be felt after GDPR went live, and the ‘offence’ of failing to report the breach continued long after the attack itself.
The ICO says that, because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under GDPR. It says that the penalty and action have been approved by the other EU DPAs through GDPR’s cooperation process.
The ICO said that, in reducing the fine from the amount in the Notice of Intent, before setting a final penalty it considered:
- representations from Marriott
- the steps Marriott took to mitigate the effects of the incident, and
- the economic impact of COVID-19 on its business.
The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems. In our view this is important – our experience is that quickly acknowledging what went wrong and taking steps to reduce the harm and prevent recurrence can reduce any eventual penalty.
In contrast, the ICO found that the involvement of a third party (Accenture) in implementing, maintaining, or managing some elements of Marriott’s system did not reduce Marriott’s responsibility for the breaches. The fact that Marriott was planning to decommission the legacy Starwood systems when the attack took place also did not lessen Marriott’s security obligations and associated liability.
The ICO did not look at the issue of whether there was more Marriott could have done by way of due diligence when it acquired Starwood (because it was only considering infringements that occurred post-GDPR). However, it acknowledges that there may be circumstances where in-depth due diligence may not be possible in the context of a hostile takeover.
What has Marriott said?
Marriott has said that it does not intend to appeal. It said:
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
It has also said that it has now closed down the Starwood IT system which was compromised in the incident.
More litigation
As we’ve said before when commenting on previous breaches the ICO closing its investigation will not be the end of the story. Already proceedings have been commenced against Marriott seeking damages on behalf of those allegedly affected. In August 2020 a representative class action was filed in the High Court in London. The case is being brought on an opt-out basis by automatically including anyone who made a reservation at one of the hotels affected before 10 September 2018. The case is not guaranteed to succeed – for example the civil case after the Morrisons data breach failed in the Supreme Court in April (see https://www.corderycompliance.com/uk-court-of-appeal-ruling-in-morrisons-vicarious-liability-case/) but it is likely that this litigation will continue unless Marriott or their insurers seek to settle before the hearing.
Practical tips
Treat security as a top priority – to keep personal data secure, organisations need to:
- have robust TOMs in place to protect their systems, including their websites
- do all that they can to stop data breaches
- do ongoing monitoring and testing to detect vulnerabilities and data breaches, and
- implement robust data breach response plans that allow them to react to data breaches quickly when they happen.
Do due diligence when acquiring databases / IT systems – this means doing both legal due diligence and forensic IT testing wherever possible. Ask about things like:
- previous data breaches / close calls
- controls such as data access controls, data transfer controls and physical controls
- penetration testing
- how / when security updates and patches are administered, and
- legacy / acquired IT systems and databases.
Even where in-depth due diligence is not possible pre-acquisition (such as in a takeover of a competitor), the new owner would be expected to do robust checks and testing of the systems and databases that it has acquired as soon as it is in a position to do so.
Conclusions
Any organisation can be the target for this type of attack. They must have a first-rate strategy and proper tools in place for early detection and quick response when these incidents do happen.
Although the fact that Marriott got a much lower fine than originally announced may send out a mixed message, this should not deter organisations from taking data security seriously. Organisations should also bear in mind that class-actions for compensation from affected customers may yet substantially add to the final bill in cases like this one.
Further reading and support from Cordery:
There are more tips on dealing with data breaches here https://www.corderycompliance.com/dealing-with-a-breach/ together with a short film on the topic here https://www.corderycompliance.com/dealing-with-a-data-breach/.
We run data breach simulation exercises at Cordery’s Data Breach Academy – https://www.corderycompliance.com/cordery-data-breach-academy-2-2/.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/
and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |
Image courtesy of Marriott