Marriott penalty notice: The download

An attack on Starwood's customer database exposed personal information for approximately 339 million customers: this breach went unnoticed for four years, continuing after Marriott's acquisition of Starwood in September 2016, and was only picked up in September 2018. The personal data involved included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number. The data subjects affected by this breach were Starwood customers in the UK, elsewhere in the EU and in the rest of the world.

The events

• In July 2014, the attacker installed a web shell on a device within the Starwood network, which allowed them to install Remote Access Trojans ("RATs" - malware which enables remote administrator control of the system). This allowed the attacker to install and execute "Mimikatz", a tool which allowed login credentials temporarily stored in the system memory to be harvested. Following Marriott's acquisition of Starwood, memory-scraping malware was installed on multiple Starwood devices, which searched devices for payment card data. The attacker continued to create database dumps between April 2015 and May 2016. 

• On 7 September 2018, the attacker triggered an alert on the Guardium software placed on the database which applied to tables which included card details.  The next day, Accenture, the company managing the Starwood Guest Reservation Database, alerted Marriott's IT team of the alert. Marriott then instigated its response plan intended to monitor the local system and identify potentially malicious activity in real-time.

• On 22 November 2018, Marriott notified the ICO of the breach (as the breach was notified before Brexit, the ICO dealt with it on behalf of all EU authorities as lead supervisory authority under the GDPR). On 30 November 2018, it provided a follow-up report to the ICO, issued a press release about the attack and established a dedicated incident website. It also began sending emails to all affected data subjects, but it omitted the telephone number for the dedicated call centre to receive complaints. Following contact by the ICO, this was later updated and re-sent on 9 December 2018.

Procedure

• Further to the notification to the ICO by Marriott on 22 November 2018, the ICO started an investigation into the incident. On 5 July 2019 it issued Marriott with a Notice of Intent to impose a penalty of £99,200,396. Marriott made two rounds of written representations and at the ICO's request, provided it with further information and documents.

• Due to the impact of Covid-19, on 17 April 2020 the parties agreed an extension for the issuing of a penalty notice to 30 September 2020.

The ICO's Decision

• The ICO concluded that between 25 May 2018 (when the GDPR entered into force) and 17 September 2018, Marriott failed to comply with its obligations under Article 5(1)(f) and Article 32 GDPR; failing to process personal data in a manner that ensured appropriate security of the personal data, using appropriate technical and organisational measures. The four principal failings of Marriott were described as follows:

• Insufficient Monitoring of Privileged Accounts: Marriott failed to put in place appropriate ongoing monitoring of user activity, particularly in relation to privileged accounts. Although Marriott had Multi-Factor Authentication in place, and had certain additional security measures, this was not sufficient - it should have had better monitoring of user activity to aid in detection of an attack.

• Insufficient Monitoring of Databases: The ICO was concerned by deficiencies in Marriott's setup of security alerts on databases and the failure to aggregate logs.

• Control of critical systems: The ICO found that Marriott should have implemented a form of server hardening as a preventative measure, e.g. whitelisting (which only allows certain users or IP addresses to access certain systems or software).

• Encryption: While payment card data, and in some cases, passport numbers, were encrypted by Marriott, encryption was not applied to other categories of data. The ICO was particularly concerned that not all passport numbers were encrypted.

Calculation of the fine

The ICO considered that a penalty of £28m would be appropriate, before adjustment. As it did with the BA fine, the ICO went through the five step process outlined in its Regulatory Action Policy. That figure was reduced by 20% to £22.4m for mitigating factors such as Marriott's steps to address the effects of the breach and notify data subjects. This was reduced further to £18.4m, applying the ICO's Covid-19 guidance, which states: "as set out in the Regulatory Action Policy, before issuing fines we take into account economic impact and affordability".

Comment

• Limitations of M&A due diligence: The ICO made it clear that it was only concerned with whether, after the GDPR came into effect on 25 May 2018, Marriott adequately prepared the Starwood systems to protect personal data and that it was not concerned with the period prior, acknowledging that "there may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover".  However, the fact remains that Marriott could not be protected from this significant (albeit reduced) fine by its due diligence or share purchase warranties; illustrating the practical difficulties an acquirer will have when its target uncovers a previously undetected cybersecurity risk.

• Timing issues when integrating systems are not an excuse for non-compliance: Marriott acquired Starwood in September 2016; following that the systems were kept separate (and remained separate throughout the relevant period). Marriott had an 18 month plan to integrate aspects of the Starwood network into the Marriott network to create a single, unified network within Marriott's footprint in the first quarter of 2018. However, the ICO pointed out that the intended decommissioning was delayed to the end of 2018, and Marriott would have been aware in early 2018 that the GDPR was coming into force and that it would be continuing to process data within the Starwood network for a number of months after that.

• Dangers in using legacy systems: Marriott made submissions on the improvements it made to Starwood's systems post-acquisition, pointing to that as evidence of appropriate due diligence. However, the ICO noted that none of these steps identified the "relevant, easily detectable, deficiencies in Marriott's security". Therefore, this does not meet the concern that Marriott continued to use the Starwood system without remedying the clear security deficiencies.

• The impact of Covid-19 on ICO fines: Although the dramatic decrease in the fine from the Notice of Intent might be thought to indicate "Covid-19 pragmatism", the ICO said that although the pandemic has had a significant impact on Marriott's revenues, the penalties in the ranges it proposed will not cause Marriott financial hardship. Nevertheless, the ICO ultimately reduced the fine by £4m (a 22% discount from the £22.4m figure after considering mitigating factors), in light of the pandemic and associated economic consequences. Interestingly, the reductions mirror those applied in the BA case.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.