Marriott International says it will fight a large fine resulting from a massive data breach that was discovered in 2018.
Following the July 8 statement of intention to fine British Airways £183 million, The UK Information Commissioner’s Office (ICO, the UK data protection regulator) announced on July 9 that it also intends to fine Marriott International £99,200,396 million (just over $123.5 million). This should be a wake-up call to all companies of any nationality that expose the data of European citizens.
Marriott President and CEO Arne Sorenson said the company will fight the fine. “We are disappointed with this notice of intent from the ICO, which we will contest,” Sorenson said in a statement.
Marriott disclosed a breach ‘involving the Starwood guest reservation database’ and reported the incident to the ICO in November 2018.
Marriott International is the world’s third largest hotel chain, with just under 6,000 hotels in around 110 countries. It was founded in 1927 by John Willard Marriott, and is now headed by his son Bill Marriott. It is headquartered in Bethesda, Washington DC.
According to the ICO statement of intent, “It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.”
Personal data from approximately 339 million guest records were exposed. Thirty million of these related to residents of 31 countries in the European Economic Area (EEA), with 7 million in the UK — bringing the breach within the jurisdiction of the EU’s General Data Protection Regulation (GDPR).
The ICO found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Information Commissioner Elizabeth Denham commented, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” She added that if companies do not protect personal data, “we will not hesitate to take strong action when necessary to protect the rights of the public.”
“This is a very strong indication that the ICO, the UK’s GDPR Supervisory Authority is now prepared to play hard ball with organizations who they consider have demonstrably failed to protect EU citizen data under their stewardship. GDPR just got real in the UK,” warns Matt Walmsley, Head of EMEA Marketing at Vectra.
Chris Kennedy, CISO at AttackIQ, warns that GDPR is changing the cost landscape for a breach. “the frequency and cost of suffering a breach both continue to rise, especially for businesses that expose EU citizens’ data. Companies must now factor in the cost of fines under GDPR and CCPA, the costs of reparations for customers exposed, and litigations that could very well be in the hundreds of millions.”
Matt Middleton-Leal, general manager for EMEA & APAC at Netwrix, added that the fine “heralds a new era of greater regulatory power. Watchdogs’ barks may once have been considered worse than their bite, but this is no longer the case since the introduction of GDPR.”
This is the first major GDPR breach fine on an international company that is not fundamentally European. The French regulator, CNIL, fined Google £50 million— but that was over non-GDPR-compliant procedures rather than a breach and loss of personal data.
The ICO led the investigations into both the BA and Marriott incidents under GDPR’s ‘one-stop-shop’ procedure. This allows one national regulator to handle the process for the whole of the European Union. The UK has probably Europe’s best-resourced data protection office, and will likely take the lead in many major investigations. The size of these two fines demonstrates to other European nations that the UK can be trusted not to be soft on GDPR.
However, the apparent disparity between the BA fine (£183 million for compromising 500,000 customers) and the Marriott fine (£99 million for compromising 30 million EEA residents) could give BA some hope for its appeal. GDPR fines are not related purely to victim numbers, but include many other factors around the security posture and behavior of the company concerned. We are not currently privy to the details behind the ICO’s decisions, but these may become clear if either company proceeds to appeal. Those details will be as educational to other companies within the GDPR jurisdiction as are the size of the fines.
“After much discussion around the lack of substantial GDPR enforcement,” suggests Rick Holland, CISO and VP of strategy at Digital Shadows, “we are starting to see hefty fines for the exposure of European citizen’s personal data. The penalties should highlight to global businesses, that it is naïve to ignore GDPR. It is truly global, not just European. Furthermore, multinational companies that thought that the global social media brands would exclusively be targeted were wrong.”