Marriott Faces $125 Million GDPR Fine Over Mega-BreachBreach Persisted 4 Years - and Through Acquisition - Before Being Discovered
Britain's privacy watchdog has previewed a suggested fine of £99 million ($125 million) under the EU's General Data Protection Regulation against hotel giant Marriott for its failure to more rapidly detect and remediate a data breach that persisted for four years.
The massive data breach exposed approximately 339 million customer records globally, of which about 30 million related to residents of 31 countries in the European Economic Area and 7 million to U.K. residents, Britain's Information Commissioner's Office said on Tuesday. The ICO enforces the country's data protection laws, including GDPR.
The previewed GDPR fine was first revealed on Tuesday when Marriott International, based in Bethesda, Maryland, said in a filing with the U.S. Securities and Exchange Commission that "the U.K. Information Commissioner's Office (ICO) has communicated its intent to issue a fine in the amount of £99,200,396 against the company in relation to the Starwood guest reservation database incident that Marriott announced on November 30, 2018."
Marriott said the long-running breach exposed such information as names, mailing addresses, phone numbers, email addresses, passport numbers, and, in some cases, encrypted payment card information. Marriott says the breach appears to have begun with a 2014 network hack of Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016 for $13 billion (see: Marriott's Mega-Breach: Many Concerns, But Few Answers).
Marriott says it has been assisting the ICO with its investigation and has overhauled aspects of its security program since discovering the breach.
Data Protection Failure
The ICO says Marriott's security practices and procedures failed to protect personal information. "The GDPR makes it clear that organizations must be accountable for the personal data they hold," says U.K. Information Commissioner Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
Under GDPR, EU data protection authorities, including the U.K.'s ICO, can fine organizations up to 4 percent of their annual global revenue or £17.9 million ($22.5 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to £9 million ($11.2 million) or 2 percent of annual global revenue. Regulators can also withdraw an organization's ability to process Europeans' personal data.
"Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset," Denham says. "If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
The proposed fine against Marriott is equivalent to just 0.006 percent of the hotel chain's 2017 revenue.
Marriott Plans to Contest Fine
Marriott has the right to respond to the proposed fine before the ICO makes its final determination. In a statement, Marriott says it "intends to respond and vigorously defend its position."
"We are disappointed with this notice of intent from the ICO, which we will contest," says Arne Sorenson, president and CEO of Marriott. "We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott."
Marriott said in a prior SEC filing that it had taken out a cyber insurance policy prior to the breach being discovered.
The ICO has been the lead European supervisory authority probing the Marriott breach on behalf of other EU member states. Under the "one stop shop" provisions of GDPR, the hotel chain will face only a single EU fine. But besides Marriott, data protection authorities in other European countries where residents were affected by the breach will also be allowed to weigh in on the fine proposed by the ICO before it gets finalized.
Multiple U.S. state attorneys general are also probing the Marriott breach.
Hotel Chain Retires Breached System
Marriott reported that as of Dec. 31, 2018, Starwood-branded hotels are no longer using the Starwood reservation system that had been breached. "With the completion of the reservation systems conversion undertaken as part of the company's post-merger integration work, all reservations are now running through the Marriott system," the company said earlier this year.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Follows Preview of BA Fine
News of the suggested fine by the ICO against Marriott arrived one day after the regulator said it is planning to fine flagship carrier British Airways a record-setting £184 million ($230 million) for security failures that helped precipitate two breaches last year - one in June, the other in October. The breaches involved attackers installing malicious code on BA's site that rerouted customers to a fraudulent site that stole their personal details, including payment card data (see: British Airways Faces Record-Setting $230 Million GDPR Fine).
The ICO's investigation has found that the breaches exposed personal data for 500,000 BA customers.
The proposed fine against BA is equivalent to 1.5 percent of the airline's 2017 annual revenues.
Parent company International Airlines Group says it plans to contest the fine. "We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data," said Alex Cruz, chairman and chief executive of BA.
But Denham said BA had failed to put proper safeguards in place to protect customer data.
"People's personal data is just that - personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience," she said. "That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
First Major GDPR Fines Have Landed
The proposed BA and Marriott fines are the first major data breach fines to be announced since GDPR went into full effect on May 25, 2018.
What accounts for the delay? In fact, it's been expected (see: Marriott Mega-Breach: Will GDPR Apply?).
Historically, many major data breach investigations have taken a year or more to conclude. But the proposed fine against Marriott has been announced only eight months after the breach was reported to regulators, while the proposed fine against BA was announced 10 months after it reported the first breach.