Hotel chain hit with fine for data breach

What was the breach?

The fine relates to a cyber-attack suffered by Starwood Hotels and Resorts Worldwide Inc (“Starwood”), which commenced in 2014 but was only detected in September 2018.  Starwood was acquired by Marriott in 2016. Marriott told the ICO that it was only able to carry out limited due diligence on Starwood’s data processing systems and databases during its acquisition process.

Customers affected by the breach had their personal data leaked, including names, email addresses, phone numbers, passport numbers, travel information, and hotel VIP and loyalty membership details.

Unidentified hackers installed code onto a Starwood device, enabling them to access and edit the device contents remotely. Malware was installed, which meant the attacker could have remote access as a privileged user, giving them unrestricted access to the device and the databases and other relevant information stored on the device as well as other devices on Starwood’s network. Other tools were also installed by the attacker, gaining login credentials for other users on the Starwood network, allowing it to access the reservation database for customers and then export this data.

The ICO investigated the breach on behalf of all EU authorities under the GDPR, as the guests were spread around the world with around 30 million from the European Economic Area and 7 million from the UK. It concluded that Marriott had failed to implement appropriate technical or organisational measures to protect the personal data which was processed by its systems, which is a requirement of the GDPR.

Information Commissioner Elizabeth Denman said “When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

£18.4 million fine for security breach

The fine confirmed by the ICO is significantly lower than the amount stated in the initial notice of intent to fine, which was in the amount of £99.2 million, which was issued in July 2019 (see our previous newsflash on this here).

Since issuing the original notice, the ICO considered representations from Marriott, including the steps taken to mitigate the effects of the breach. Having considered the mitigating factors, the overall penalty payable was £22.4 million. However, the ICO also had regard to the impact of Covid-19 and considered that a further reduction was appropriate and proportionate and decided that the penalty payable should be reduced to £18.4 million.

It was acknowledged that Marriott had acted quickly to mitigate any damage upon discovering the breach and had since sought to improve its security measures.

The penalty notice can be accessed here.

What should you do?

This matter highlights the importance of organisations having robust security systems and policies implemented to ensure that customer data are protected. It also emphasises the importance, wherever possible, of undertaking thorough due diligence on data protection matters when an organisation is considering merging with or acquiring another organisation.

Ward Hadaway regularly advises companies on GDPR and information security matters. If you are a controller of personal data, incidents like this emphasise the importance of having appropriate and robust data protection policies in place and ensuring that management staff are thoroughly trained in their implementation and in data protection generally.

Our team of data protection experts are experienced in dealing with these types of issues. For more details on how we can help you, or for guidance in relation to any of the matters raised in this case, please get in touch.