To lose one dataset, Mr Marriott, may be regarded as a misfortune; to lose two looks like carelessness

In September 2019, we covered the news that the Information Commissioner’s Office (ICO) intended to levy a £99 million fine on Marriott International Inc. (“Marriott”), following a data breach that resulted in 339 million guest records held in the Starwood Hotels group’s guest reservation database being subject to unauthorised access over the period 2014-2018.

The first breach

By way of background, in 2016 Marriott acquired the Starwood Hotels group which included the Westin, Sheraton, St. Regis, and W Hotel brands. Marriott’s due diligence during the acquisition process failed to expose the breach and worse, left the reservation system in place, whilst laying off the Starwood IT staff who might have been able to identify the weaknesses in the system faster than Marriott did. As a result the unauthorised access of the system continued and was not discovered by Marriott until 8 September 2018. 

The ICO noted that Marriott failed to identify and act on the poor security culture at Starwood, such that even though there was ongoing third party access to the reservation system, Marriott did not discover this for two years. 

The second breach

One might have expected Marriott to review and enhance its security practices and systems to prevent any recurrences of data breaches. However, on 31 March 2020, Marriott announced that it had again suffered a major breach.

This breach resulted in the exposure of the personal details of approximately 5.2 million guests. The breach began in mid-January 2020 and was discovered at the end of February 2020. The details included the names, addresses, birthdays, gender, email addresses, telephone numbers, room stay preferences and loyalty account numbers of data subjects. Marriott says it does not believe passports, passwords or payment details were exposed though the breach is still being investigated.

Access is believed to have been gained by a third party via the credentials of two employees of one of Marriott’s hotels. This time the breach was of the platform housing data of the Marriott Bonvoy loyalty scheme, itself the consolidation of three pre-existing loyalty schemes for the Marriott, Ritz-Carlton and Starwood brands. The scope of the breach is, as with the first one, likely to affect customers globally.

Following the discovery of the breach, Marriott notified affected guests by email on 31 March 2020, and has set out additional measures, including providing, at Marriot’s cost, free access for guests to sign up to a personal information monitoring service for 1 year, to assist them in identifying fraudulent activity.

The ICO began their investigation as the lead supervisory authority under the EU “one-stop shop” regulatory principle. Although the UK left the European Union on 31 January 2020, the principle still applies while the UK is in its transition period. If the transition period ends as planned on 31 December 2021, the ICO will lose this privilege. However, it is likely to continue leading on existing investigations for breaches which occurred either during the UK’s membership or during the transition period.

Analysis

At a time when Marriott is still awaiting a penalty notice confirming the £99 million fine for the 2018 breach, it appears for the second time in as many years to be unable to fulfil its responsibilities as a data controller. For this to happen at a time when its hotels are shut due to most of the world being under some version of the COVID-19 lockdown will add further financial pain and damage to its brand reputation.

Data controllers and processors must handle data in accordance with the data protection principles at Article 5 of the General Data Protection Regulation (GDPR). Data must be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• Accurate and, where necessary, kept up to date
• Kept in a form which permits identification of data subjects for no longer than is necessary and
• Processed using appropriate technical or organisational measures in a manner that ensures appropriate security of the personal data. 

In September, we noted that the ICO had only issued a notice of intention to fine, which was issued on 9 July 2019. Normally, the ICO would have six months to issue a penalty notice, confirming or modifying the amount of the fine. However, extensions were granted in January and again in April, ostensibly to allow the ICO to complete its investigations, and to consult with other European data protection bodies. Marriott has issued a statement noting mutual agreement with the ICO to extend the regulatory process to 1 June 2020. In the meantime, Marriott continues to make strong representations in relation to the level of the proposed fine.

It is likely that the ICO is also mindful of the difficulties Marriott are facing in one of the sectors hardest hit by the COVID19 lockdown measures.

However, this second breach makes it apparent that Marriott is failing to process personal data in “a manner ensuring appropriate security…”. One might expect a number of strong recommendations from the ICO, demanding improvement in Marriott’s apparently deficient data protection practices, and an additional fine. 

Lessons

As with the first breach, Marriott could face fines from data protection authorities in other jurisdictions, as well as follow on actions from affected data subjects. At the time of writing, Marriott were already subject to a fine from Data Protection authorities in Turkey, as well as facing several class actions in the USA. There is also the reputational cost of being seen as a business that cannot be trusted to protect its customers’ data.

Cybercriminals will often sit on obtained data for some time, waiting for hype about a breach to die down before making use of them. Affected guests may be subject to follow up phishing attacks and other malevolent uses of their data.

It is not clear how the third party gained access to the login credentials of two employees. Businesses should have processes in place to ensure that their employees protect their credentials effectively as well detection systems to highlight data access breaches. Following the National Cyber Security Centre’s guidance on password use, linked here, would be a good start.