On 30 October 2020, the UK’s data privacy regulator, the Information Commissioner’s Office (ICO) issued a final penalty notice (Penalty Notice) to fine the hotel chain Marriott International, Inc. (Marriott) for a GDPR data breach caused by a sophisticated hacking of its systems. In a strikingly similar fashion to the recent British Airways (BA) GDPR final penalty notice, Marriot received a near-record breaking initial fine of £99.2 million. Following more than two years of representations, the fine has been cut by over 80% to £18.3 million as a result of co-operation, mitigating factors, and a revision of the ICO’s turnover-centric approach to calculating fine amounts. The Penalty Notice is also a reinforcement of the ICO’s message that all data controllers, regardless of the primary service they provide, must have adequate and up-to-date security measures in place to prevent data loss through sophisticated cyberattacks.
The ICO was notified by Marriott in November 2018 of an incident that exposed approximately 339 million guest records worldwide over a period of four years due to a sophisticated hacking of recently acquired subsidiary Starwood Hotels group. Starwood Hotels experienced a cyberattack in 2014, through which an unknown hacker had installed code on the Starwood computer systems, giving remote access to view and edit data on the network. Marriot acquired Starwood in September 2016 but failed to discover the customer information exposure until November 2018. During this period, an estimated 30 million residents of the European Economic Area (EEA) were affected, along with seven million UK residents. The personal data affected included unencrypted passport details, phone numbers, booking information and credit card data.
The ICO held that there were several distinct weaknesses in the security systems that Marriott ought to have identified and remedied in the four months between the GDPR coming into force and the ICO being notified of the data breach. There were multiple failings from a security perspective, including failing to sufficiently monitor privileged accounts and databases, and encryption failings. The breach serves as a reminder of the importance of effective due diligence in the run up to an acquisition involving any large-scale processing of data and ensuring that any issues raised are quickly acted upon.
In the Penalty Notice £28 million was identified as an appropriate starting point to dissuade future GDPR breaches and to proportionately penalise Marriott. A reduction of 20% to £22.4 million was made considering Marriot’s full co-operation with the investigation, widespread reporting of the attack raising awareness of ongoing GDPR obligations, and to account for financial loss already incurred through reputational damage. A further reduction to £18.4 million due is credited to the adverse impact of COVID-19 on the hotel business.
Similarities With BA Breach
Like the BA notice, the dramatic decrease between the initial and final fine is a result of the ICO’s shift from reliance on an unpublished, turnover-centric policy in calculating fines. Both BA and Marriott argued it was unlawful to rely on an unpublished policy and that there is no logical relationship between a breach involving a malicious attack and turnover, as the entity hacked does not profit from the breach. The ICO responded in both cases by relying less heavily on turnover as an indicator but refusing to rule out its continuing importance alongside other factors.
The ICO has also reinforced its approach to require high standards from all data controllers regardless of their area of business. BA and Marriott process large volumes of personal information, including sensitive data, and so must have a duty to ensure adequate systems are in place to protect data from sophisticated hackers. The ICO highlights the importance of constant monitoring and stress testing of security systems to ensure this goal is achieved, particularly when acquiring new systems or businesses.