On October 30, 2020, the Office of the UK Information Commissioner (“ICO”) announced its £ 18.4 (approximately $ 23.9 million) fine paid to Marriott International, Inc. (“Marriott”) for Violations of the EU General Data Protection Regulation (“Marriott”) have been imposed. “GDPR”). This is a significant decrease from the proposed fine of £ 99,200,396 (about $ 124 million) announced by the ICO in July 2019. The ICO’s fine only relates to the violation from the date the GDPR came into force in May 2018 and is the second largest fine that the ICO has imposed under the GDPR to date. Marriott has not admitted liability for the breach, but has indicated that no appeal is planned.
The Marriott security breach that resulted from a cyber attack against Starwood Hotels and Resorts Worldwide Inc. (“Starwood”) (acquired by Marriott in 2016) in 2014 affected an estimated 339 million guest records worldwide, of which seven million affected individuals United Kingdom. The data affected included names, email addresses, telephone numbers, passport numbers, arrival and departure information, as well as information on VIP status and the loyalty program. The unknown attacker had installed code on a device in the Starwood system and was given remote access by malware as a privileged system user. This gave the attacker unrestricted access to the device in question and to other devices on the Starwood network to which the account had access. Credentials were then collected and the database, in which reservation data is stored, was retrieved by the attacker and exported. The attack was originally discovered in September 2018 and Marriott notified the ICO and affected individuals in November 2018 after becoming fully aware of the nature of the breach.
According to the ICO, Marriott had not taken any suitable technical and organizational measures to secure personal data, as prescribed in Article 5 (1) (f) and Article 32 of the GDPR. The ICO identified four main flaws: insufficient monitoring of privileged accounts that discovered the violation; insufficient monitoring of databases; Failure to implement server hardening as a preventive measure (ie, reducing the server’s vulnerability); B. through whitelisting; and failure to encrypt certain personal information, including some passport numbers.
Marriott wanted to convince the ICO that the sophistication of the attack should have been taken into account in determining appropriate enforcement measures, but the ICO declined, stating, “What the [a]It was announced that Marriott has not taken appropriate security measures to combat attacks of this type and / or other identifiable risks to the system. “The ICO also contradicted Marriott’s claim that Article 33 of the GDPR requires that a controller be reasonably certain that there has been a personal data breach prior to notifying the ICO and that a controller” reasonably Can conclude that the information is likely to be personal information A violation has occurred. “The ICO concluded that Marriott has not breached its Article 33 GDPR reporting requirement. The ICO also found no breach of the Article 34 requirement to notify data subjects of the breach, but noted some flaws in Marriott’s approach, such as an accidental failure to include the phone number for its “dedicated call center” in the E. -Mail to record sent to data subjects.
In calculating the fine, the ICO used the five-step process set out in its Regulatory Measures Policy and initially found that Marriott had not obtained any financial benefit from the breach. The ICO found that the nature of Marriott’s outages was of significant importance, as Marriott could have taken multiple steps to detect the attack earlier and it affected an “extremely large number” of people. The ICO viewed individuals as a concern, as evidenced by the likely cancellation of payment cards and the 57,000 calls the Marriott call center received following the breach. The ICO concluded that Marriott acted negligently by inappropriately maintaining the systems affected by the breach, particularly given the size and profile of Marriott and the likelihood that attackers would target it.
In reducing the proposed fine, the ICO took into account the disclosures made by Marriott, the measures taken to mitigate the impact of the incident, and the economic impact that Marriott has suffered as a result of the COVID-19 pandemic. It was recognized that Marriott acted promptly in contacting customers and the ICO, attempting to reduce the risk of customer harm once it discovered the breach and that it has since improved the security of its systems. Steps Marriott took to mitigate the impact of the breach included implementing password resets, disabling accounts known to be at risk, and implementing advanced detection tools. Marriott also set up a dedicated multi-lingual incident website and call center, and took a number of other steps to provide support and reassurance. The ICO also took into account the fact that Marriott had fully cooperated with the investigation of the ICO.
In light of the statements made by Marriott in response to its letter of intent regarding the fine, the ICO eventually settled on a fine of £ 28 million. The mitigating factors discussed above resulted in the fine being reduced to £ 22.4 million, down 20%, and the impact of the COVID-19 pandemic on Marriott’s business has been taken into account, bringing the fine further to 18.4 Million GBP has been reduced.