ICO fines Marriott £18.4 million in relation to Starwood Hotel’s 2014 data breach

Summary

• The ICO has fined Marriott Inc (“Marriott”) £18.4 million in relation to a 2014 cyber-attack on Starwood Hotels.
• The ICO had previously issued a notice of its intention to fine Marriott £99.2 million. The Penalty Notice does not explain the reasons why the final fine is considerably lower than this amount.
• Following the ICO’s consideration of three rounds of representations made by Marriott, Marriott has been fined for failing to process personal data in a manner that ensures appropriate security of the personal data.
• The ICO has made clear that its decision relates solely to Marriott’s failures after 25 May 2018 (i.e. post-GDPR) despite the historic, pre-2018 nature of the cyber-attack.
• The ICO identified four principal security failures which may be useful for organisations looking to understand the level of security measures that the regulator expects to be in place.
• In its Penalty Notice, the ICO has unfortunately avoided giving any real guidance as to what it expects from the data protection and cyber security due diligence process in corporate transactions (such as the Marriott acquisition of the Starwood Group).
• This decision follows the recent announcement of the ICO’s decision to fine British Airways a significantly reduced fine of £20 million (rather than its original proposed fine of £183 million).

Background

As we detailed in our blog post back in July 2019 (https://hsfnotes.com/data/2019/07/10/marriott-starwood-data-breach-ico-intention-to-issue-another-big-99-million-mega-fine/), the guest reservation system of the Starwood group of hotels was compromised in 2014, exposing the personal data of approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries (at the time) in the European Economic Area. Seven million of those related to UK residents. However, this data breach was not discovered until 2018, following the acquisition of the Starwood group by Marriott in 2016.

In July 2019, the Information Commissioner’s Office (“ICO”) issued a notice of intent to fine Marriott £99.2 million for this data breach. It was announced one day after the notice of the ICO’s intent to fine British Airways £183.39 million.

The ICO investigated this case as the lead supervisory authority on behalf of other EU Member State data protection authorities.

The ICO’s decision

The ICO has issued a monetary penalty notice (“Penalty Notice”) to Marriott, fining Marriott £18.4 million for failing to process personal data in a manner that ensures appropriate security of the personal data, as required by Article 5(1)(f) and Article 32 of the GDPR, representing a significant reduction of £80.8 million from the original figure of £99.2 million.

In a similar way to the British Airways penalty notice, the Penalty Notice does not explain the reasons why the final fine has been reduced by such a substantial amount, although it is to be noted that Marriott made three rounds of representations to the ICO, with the third round of representations being specifically in respect of the financial impact on its business caused by the Covid-19 pandemic.

It appears that Marriott’s representations led to the following:

• the ICO clarifying certain factual findings made in its notice of intent in light of Marriott’s new submissions;
• the removal of the provisional finding by the ICO of a breach by Marriott of Article 33 of the GDPR (notification of a personal data breach to the supervisory authority) proposed in the ICO’s notice of intent; and
• no finding in the Penalty Notice in relation to a breach by Marriott of Article 34 of the GDPR (communication of a personal data breach to the data subject) despite a provisional finding of the same proposed in the ICO’s notice of intent.

According to the Penalty Notice, the ICO has taken into account the following factors in calculating the fine, in accordance with Article 83 of the GDPR and the ICO’s Regulatory Action Policy:

• Financial Gain: Marriott did not gain any financial benefit or avoid any losses directly or indirectly as a result of the breach. The ICO, therefore, did not add an initial element at this stage.
• Nature and Gravity: The ICO considered the nature of the failures to be of significant concern, affecting an extremely large number of individuals although the mitigating steps taken by Marriott were taken into account.
• Duration: Although the cyber-attack spanned a four-year period, the Penalty Notice relates to infringements occurring between 25 May 2018 to 17 September 2018. Regardless of this, the ICO considered this to be a significant period of time over which unauthorised access to personal data went undetected and/or unremedied.
• Culpability: The breach was a not an intentional or deliberate act on the part of Marriott. The ICO rather found Marriott to be negligent. In coming to this conclusion, the ICO took into account Marriott’s size and profile.
• Responsibility: The ICO found Marriott to be wholly responsible for the breaches of Article 5(1)(f) and Article 32 of the GDPR.
• Previous Actions: Marriott had no relevant previous infringements or failures to comply with past notices.
• Cooperation: Marriott fully cooperated with the ICO’s investigation.
• Categories of Personal Data: The affected data included unencrypted passport details, credit card data and various other categories of personal information.
• Notification: Marriott is considered to have complied with its notification obligations.

Taking into account the factors above, the ICO considered that a penalty of £28 million (before any adjustments) would be an appropriate starting point to reflect the seriousness of the breach, and the need for the penalty to be effective, proportionate and dissuasive in the context of Marriott’s scale and turnover. There is nothing in the Penalty Notice which indicates how the ICO reached the amount of £99.2 million in its original notice of intent.

The ICO did not consider there to be any aggravating factors to apply in order to increase the penalty and further did not consider it necessary to increase the penalty in order for it to be ‘dissuasive’.

Turning to any potential downwards adjustment, the ICO considered a 20% downwards adjustment (£5.6 million) to be appropriate, taking into account various mitigating factors, including:

• Marriott’s continual and increasing investment in security;
• the immediate steps to (i) mitigate and minimise the effects of the cyber-attack and (ii) protect the interests of data subjects through the implementation of remedial measures;
• Marriott’s full cooperation with the ICO’s investigation including its prompt responses to requests for information;
• the broad press coverage as a result of the cyber-attack will have likely raised awareness with other controllers of potential risks; and
• the adverse effect on Marriott’s brand and reputation.

Finally, having regard to the impact of the Covid-19 pandemic on Marriott, the ICO applied a further reduction of £4 million to the fine, taking it to a final amount of £18.4 million. It should be noted that although the ICO acknowledged the significant impact of the Covid-19 pandemic on Marriott’s revenues, it did not consider that the imposition of a penalty in the range being proposed would cause financial hardship to Marriott, or that Marriott would be unable to pay such a penalty.

Details of the GDPR infringements

The ICO concluded that, between 25 May 2018 and 17 September 2018, Marriott failed to comply with its obligations under Article 5(1)(f) of the GDPR – the integrity and confidentiality principle – and Article 32 of the GDPR – security of processing. According to the ICO, Marriott failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures. The ICO identified four principal security failures:

• Insufficient monitoring of privileged accounts that would have detected the breach

The ICO was concerned that Marriott did not have appropriate and adequate measures in place to allow for the identification of the breach and to prevent further unauthorised activity, particularly once the attacker had found its way into the cardholder data environment (CDE). This included a failure to have ongoing monitoring of user activity, particularly activity by privileged accounts.

• Insufficient monitoring of databases

Marriott was found to have failed to adequately monitor the databases within the cardholder data environment. The ICO was concerned with three failures in particular: (a) deficiencies in Marriott’s setup of security alerts on databases in the cardholder data environment; (b) the failure to aggregate logs; and (c) the failure to log actions taken on the cardholder data environment systems, such as the creation of files and the exporting of entire database tables. Whilst Marriott did have a system in place to log activity and issue alerts, the ICO deemed this to be unsatisfactory given that Marriott did not ensure the logging of key activities taking place on the databases. Marriott also did not engage in server logging of the creation of files which allowed the attacker to export entire databases undetected. In addition, alerts were only placed on tables that contained payment card information or specific queries and the actions of the attacker did not meet the conditions for the triggering of an alert. While Marriott had a security incident event management system (SIEM) and a security operations centre (SOC) these were rendered ineffective by the lack of monitoring at source.

• Control of critical systems (failure to implement server hardening as a preventative measure)

The ICO stated that it would have been appropriate for Marriott to implement a form of server hardening as a preventative measure, which could have prevented the attacker from gaining access to administrator accounts and preventing them from traversing across the network. In particular, the ICO considered that whitelisting (for example, in relation to IP addresses or permitted software) should have been deployed where appropriate on critical systems and systems which have access to large amounts of personal data.

• Encryption

Whilst some information was encrypted by Marriott (for example where required for PCI-DSS compliance), encryption was not applied to other categories of non-payment related personal data. The ICO were particularly concerned that not all passport numbers were encrypted. The ICO did not accept Marriott’s suggestion that it would be impractical to implement more encryption than it had. In particular, the ICO suggested that encrypted personal data could have been accessed and decrypted in almost real-time by using unique identifiers to cross reference to the encrypted content.

It is interesting that both Marriott and British Airways submitted, due to similar reasons, that the ICO had applied the wrong fining tier (i.e. 4% for a contravention of Article 5(1)(f) as opposed to 2% under Article 32) although the ICO rejected these submissions and provided near identical reasoning for its rejection, which we have set out in our blog post analysing the British Airways fine (https://hsfnotes.com/data/2020/10/21/the-not-so-mega-mega-fine-ico-fines-british-airways-20-million-for-its-2018-data-breach/).

A note on due diligence

As widely noted, this case has highlighted the importance of data and cyber security due diligence in corporate transactions. The ICO has now shed some further light on what it expects from corporate transactions and the due diligence process, although not necessarily in a way in which we might have expected.

During its representations, Marriott raised that it was only able to carry out limited due diligence on Starwood’s data processing systems and databases as part of the acquisition process. Marriott also submitted that it is “not tenable to proceed on the basis that acquisition due diligence is a “seemingly endless” process”. Interestingly, the ICO acknowledges this in the Penalty Notice, particularly that there may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover. However, it ultimately avoids the need to address this since it was not making any finding of infringement in respect of the period between Marriott’s acquisition of Starwood and the entry into force of the GDPR in May 2018. Instead, the Penalty Notice concerns the extent to which Marriott adequately managed the Starwood systems to protect personal data after the GDPR came into effect.

In any event, organisations should be aware that it is not possible to point to the limited due diligence process available to acquirers in a corporate transaction as an explanation for missing any hidden data vulnerabilities or breaches pre-acquisition. Instead, the ICO confirms that the “need for a controller to conduct due diligence in respect of its data operations is not time-limited or a 'one-off’ requirement” and, given this ongoing duty, it is “no answer to claim that certain due diligence steps were, or only needed to be, taken in the period immediately after acquisition”. Significantly, the ICO is of the opinion that even if adequate due diligence had been undertaken at the point of acquisition, that would not have removed Marriott’s obligation to ensure, on a continuing basis, that it complied with the GDPR (once it came into force).

While actually performing low level technical due diligence on systems as part of an acquisition (i.e. of the sort that might detect such intrusions) is likely to be challenging for the above reasons, there are plenty of things that prospective purchasers can do to manage their risk. Due diligence questionnaires afford the opportunity to ask questions about the compliance, IT, security and other systems and controls that the target company has in place, and to tie warranties to those questions. Secure infrastructure would ordinarily be accompanied by a suite of design documentation, policies, security personnel, audit reports and the like, that evidence security best practices being in place. Where asking the right questions during due diligence, and following the chain of enquiry that results, exposes issues, often provision can be made for part of the purchase price to be held in escrow pending resolution.

What is next

Although significantly below the level set out in its notice of intent, this fine, along with the £20 million fine on British Airways, indicates that the ICO is taking GDPR penalties seriously and may be sign of things to come (probably at the 8 figure, rather than the 9 figure, range).

Marriott has stated that it does not intend to appeal the ICO’s decision, but makes no admission of liability in relation to the decision or the underlying allegations.