Marriot International has been fined a total of £18.4 million (a reduction from the original £99 million) for its negligence in safeguarding customer personal data that it is responsible for. It was identified that a data breach occurred in 2014 as a result of a targeted cyber-attack, affecting almost 400 million guest records from individuals around the world with an estimated seven million guest records just from the UK alone. The types of personal data involved typically included:
- Email Addresses
- Phone Numbers
- Encrypted passport numbers
- Flight & Travel information
- VIP status and loyalty programme membership information
This breach remained undetected for four years and it was only in September 2018 that the alarm was raised, several months after the implementation of the GDPR. The cyber-criminal remained active during this time, picking and selling customer data on the black market at a whim.
There are two very interesting factors regarding this rather unique data breach.
- The data breach occurred before the implementation of the GDPR, but since it was noticed after the GDPR became law, the regulation and associated penalties still apply
- The data breach occurred under a different business, known as ‘Starwood Hotels group’, but has since been acquired by Marriott. Despite not being the governing corporation during the time of the breach, they have inherited the penalty from it. Talk about a poisoned chalice, right?
The Information Commissioner’s Office (ICO) investigated the incident on behalf of all EU authorities as the lead supervisory authority within the UK. The ICO concluded that there were insufficient safeguards in place, however acknowledged that Marriott acted quickly and improved their systems once the flaw was identified.
How did the hacker gain entry?
The anonymous criminal was able to install a ‘web shell’ onto a device within a Starwood Hotels group system which would allow them to gain access and edit file contents remotely. A web shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. Once this remote access was secured, the hacker installed various other malicious tools to record credentials of users.
The hacker was able to exploit all this due to Starwood Hotels failing to implement safeguards and security checks. On top of that, Marriott failed to do thorough inspections during the acquisition process, allowing the data breach to continue unchecked.
Even though the fine has been reduced in the wake of the economic strain resulting from Covid-19, this situation could have easily been avoided through careful management of personal data practices. Regular checking of people’s access and thorough Data Mapping could have highlighted the issue much earlier, resulting in a less severe data breach and a smaller fine. This regular checking can be facilitated through the use of dedicated review meetings and internal audits to ensure that business processes are up to scratch with the latest GDPR requirements.
Since the incident, Marriott has made the following statement:
External GDPR experts are available to help sort out how your business can achieve compliance. Find out more today with Tacita.