Having announced its intention to fine British Airways £183.39 million, the UK Information Commissioners Office has now turned its sights on Marriott International. It intends to fine Marriott International £99.2 million for a significant data breach that it admitted to in November 2018.
In a statement Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott has already responded to the news, issuing its own statement. In it, Marriott International’s President and CEO, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
What was the breach?
At the end of 2018, Marriott admitted that hackers had gained access to the personal data of over 339 million guests who stayed at its Starwood properties. According to Marriott, the breach started in 2014 and was active until detected and shutdown in September 2018.
During that time, cyber criminals accessed personal data including: “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, and encrypted payment card numbers.”
Marriott did say that: “the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Further compounding the issue was the admission that 5.25 million unique passport numbers were not encrypted along with several thousand payment card numbers.
Among those guests who were affected were 30 million residents across 31 European Economic Area (EEA) countries. 7 million of these were UK residents. As such, the investigation involved multiple EEA ICO’s with the UK taking the lead.
Why is the fine so high if the breach is pre GDPR?
This is a very good question. In April 2018, Marriott International announced that it was merging with Starwood Hotels and Resorts. The merger was completed effective August 2018. As the breach continued post the merger, the ICO appears to be treating this as a new issue. As such, it is sees this as a GDPR incident.
This is significant. Over the last year as organisations have been legally required to report breaches, many have claimed they started before May 29, 2018. This allows them to be treated under older, more lenient, data protection regimes. The ICO appears to be saying that if you have merged two entities post May 29, 2018, admit to a breach that continued beyond the merger date, you can expect it to be treated as a GDPR breach.
Will these fines drive a new approach to securing data?
Another very good question. The old fines regime was more of a slap on the wrist and the levels made it easy to write off. While there were other costs, especially reputational, many large organisations were able to shrug those off. So far, no major privacy breach has become a Ratner moment for large organisations.
So will the C-Suite and the main board actually take notice? Jake Olcott, VP Government Affairs at BitSight, says they must: “These fines make it clear — executives and boards are responsible and accountable for cybersecurity. It has never been more important for them to understand and manage their organisation’s security performance just like they would manage any other critical business issue. When it comes to cybersecurity, ongoing briefings, regular reporting, and performance metrics are no longer nice to have — they are required.”
Fouad Khalil, VP of Compliance at SecurityScorecard believes that all of this was preventable. He said: “To keep up with current threats and risks organizations must adopt continuous assurance best practices. Could any level of BA or Marriot investment into ongoing compliance spared them this breach? Of course!! The £183 Million, and £99 Million potential fine, along with reputational and customer trust impacts by far outweighs the internal cost of privacy and security program maturity efforts.”
The most important thing here is that companies need to avoid buying solutions just to get that compliance tick. As Kai Grunwitz, Senior Vice President, EMEA, NTT Security told Enterprise Times: “Compliance does not equal security and security does not equal compliance.” It is a message that still seems to be eluding the boardroom.
Enterprise Times: What does this mean?
Two big cases and fines in two days means that ICOs are getting serious about data breaches. It shows that European ICOs are also willing to work together to bring cases against large companies. It also sends a message to the C-Suite that there is nowhere left to hide. Either look after and protect personal data or pay the price.
Of course, there are the inevitable appeals to be heard and they will take time as they go through different strata of the legal system. However, there is nothing in the Marriott or British Airways judgements that suggests the rulings are flawed or that we will see significant reductions in the amounts.
More importantly, while these are two very large companies, they are far from the biggest. After its troubles, Facebook will be eyeing this nervously as will Google and many others. Most of the big targets are US companies and the question here is will the US move to protect its companies from these fines? Given the move across the world to adopt laws similar to the GDPR, the answer could be no.
For now, it’s all eyes on the ICO as we wait to see who is next to get a shock bill for losing data.