Marriott Hit With $24 Million GDPR Privacy Fine Over BreachPrivacy Regulator in UK Cautions Organizations to Conduct Thorough Due Diligence
Hotel giant Marriott has been hit with the second largest privacy fine in British history, after it failed to contain a massive, long-running data breach. But the £18.4 million ($23.8 million) penalty imposed by the U.K. Information Commissioner's Office was markedly lower than the £99.2 million ($128.2 million) fine that the regulator originally recommended.
The fine, for violating the EU's General Data Protection Regulation, centers on a massive data breach involving the Starwood guest reservation system. The breach began with an attack against Starwood Hotels and Resorts Worldwide in July 2014. In 2016, Marriott acquired Starwood. But it failed to spot the breach until September 2018.
Exposed data included names, mailing addresses, phone numbers, email addresses, passport numbers and, in some cases, encrypted payment card information. The ICO says the identity of the attacker remains unknown.
Marriott estimates that the breach exposed personal information for approximately 339 million customers worldwide, but cannot give a more precise number, as there may have been multiple records for individual customers.
GDPR empowers EU regulators to levy fines of up to 4% of an organization's annual global revenue or €20 million ($23.3 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data.
"Although the fact that Marriott got a much lower fine than originally announced may send out a mixed message, this should not deter organizations from taking data security seriously, and organizations should also bear in mind that class-actions for compensation may yet add to the final bill in cases like this one," says Jonathan Armstrong, a partner at London-based Cordery.
"Despite the reduction, the case is still a salutary lesson of the need to keep data safe and in particular the need to take care when doing due diligence in acquisitions."
— Jonathan Armstrong, Cordery
In March, Marriott disclosed a separate breach, which ran this year from mid-January through the end of February and exposed email addresses, mailing addresses, Bonvoy - aka loyalty - rewards numbers and other personally identifiable information for 5.2 million customers (see: Marriott Suffers Another Massive Data Breach). So far it's unclear if the hotel giant might face fines over breach under GDPR, the California Consumer Privacy Act or other regulations.
Multiple 'Failures' by Marriott
Across the European Economic Area - including EU countries and also Iceland, Liechtenstein and Norway - the four-year Starwood breach exposed an estimated 30.1 million individuals' details, including 7 million U.K. customers' records.
The ICO says attackers were able to install a web shell on a Marriott website and gain direct access to a server and install a remote access Trojan to maintain persistent, remote access. Later, the attackers deployed open source Mimikatz software to steal passwords, and memory-scraping malware to steal payment card details, investigators say.
"The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation," the ICO says in its penalty notice.
We have fined Marriott International Inc £18.4 million for failing to keep customers’ personal data secure. Marriott estimated that 339 million guest records worldwide were affected.— ICO (@ICOnews) October 30, 2020
Read more about the fine: https://t.co/S99ixGrLU7 pic.twitter.com/b2br06QfVh
Based in Washington, Marriott International has over 7,300 hotel and guest properties in 134 countries and territories around the world. In addition to the Marriott name, its 30 brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. In 2019, the company had $20.9 billion in revenue.
"Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not," says U.K. Information Commissioner Elizabeth Denham.
“When a business fails to look after customers’ data, the impact is not just a possible fine," she adds. "What matters most is the public whose data they had a duty to protect.”
Marriott has continued to apologize for the breach and has also retired the Starwood database that was originally hacked in 2014.
“Marriott deeply regrets the incident," the company says in a statement. "Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
The company says it will not contest the final fine. "Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations," it says. "As the ICO acknowledges, Marriott cooperated fully throughout the investigation."
One notable aspect about the fine imposed on Marriott is that it is just one-fifth of the fine that the ICO originally recommended in July 2019, which Marriott had contested.
But the reduction is not nearly as big as with the final fine that the ICO recently imposed on British Airways, in connection with a 2018 data breach that exposed the personal information of about 430,000 customers, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised. In its initial July 2019 penalty notice, the ICO had proposed fining BA a record £184 million ($238 million). But last month, the regulator issued a final fine of just £20 million ($26 million).
Legal experts say the final fines being lower than the proposed penalties is not surprising. Indeed, the ICO earlier this year noted that because of the ongoing coronavirus outbreak, it planned to adjust its regulatory approach, not least because of the staffing and financial impact that COVID-19 was having on organizations (see: GDPR and COVID-19: Privacy Regulator Promises 'Flexibility').
Under GDPR, after proposing a fine, regulators have 12 months to issue a final fine, unless it proposes delaying the imposition of the fine, and the organization that is being investigated agrees.
Both Marriott and BA had agreed to delays in their final fine.
In the case of BA, which has been especially hard hit by the pandemic, "as part of the regulatory process, the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty," the regulator said last month.
The ICO says it took the same approach with Marriott. "As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty," it says.
"The ICO acknowledges that Marriott acted promptly to contact customers and the ICO," it adds. In addition, Marriott "acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems."
Fine Represents Full EU Penalty
The ICO has also clarified that its penalty represents the only GDPR fine that Marriott will face over this breach. Legal experts said that with Britain having exited the EU on Jan. 31 - via its Brexit process - it was unclear if the remaining 27 EU member states' data protection authorities might need to commence a fresh investigation.
"Because the breach happened before the U.K. left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR," the ICO says. "The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process."
Cordery's Armstrong says the Marriott breach - reduced fine or not - remains a cautionary lesson for any organization involved in mergers or acquisitions.
"Despite the reduction, the case is still a salutary lesson of the need to keep data safe and in particular the need to take care when doing due diligence in acquisitions," he says.
Class-Action Lawsuits Continue
Marriott seeing the ICO end its investigation is not the end of the legal challenges the hotel giant faces over the Starwood breach.
Numerous civil lawsuits remain ongoing, including a class-action lawsuit filed in England and Wales in August, under GDPR.
The company also faces lawsuits in Canada, and in the United States, a judge in early 2019 combined 11 class action lawsuits over the breach into a single one. In February, a judge ruled that the lawsuit in the U.S. against Marriott should proceed.