The U.K.’s privacy watchdog is hitting Marriott International with a $123 million (£99 million) penalty stemming from its 2018 data breach of more than 383 million guest records.
The Tuesday fine is issued by the Information Commissioner’s Office (ICO) and comes only a day after the organization proposed a record $230 million fine against British Airways for its own 2018 data breach. Experts say the dual penalties signal that organizations are increasingly cracking down on company data security incidents under the umbrella of the General Data Protection Regulation (GDPR).
The ICO said its investigation found that Marriott failed to undertake sufficient due diligence when it bought the Starwood properties, and should also have done more to secure its systems: “The GDPR makes it clear that organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said in a statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
In November 2018, Marriott said that a massive data breach of its guest reservation system left up to 500 million guests’ data exposed and available for the taking, a number that was later corrected to 383 million records.
The hackers gained unauthorized access to Starwoods’ network back in 2014, before Marriott acquired Starwoods in 2015. Marriott said it discovered the breach on Sept. 8, 2018.
Tim Mackey, principal security strategist at Synopsys’ Cybersecurity Research (CenterCyRC), told Threatpost that in the case of Marriott, “it comes as a result of a merger and acquisition scenario.”
He noted, “So whenever an acquirer is looking at a potential potential acquisition target, one of the things they’re trying to assess is what the latent risks are to the business… in all likelihood, the Marriott team didn’t necessarily look at what the potential for a latent undisclosed data breach might be. And so now, there’s an actual real cost associated with not having a clear picture on the IT operations of an acquisition target.”
Marriott said that hackers stole data like name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for 327 million of its guests.
Marriott for its part hit back saying it would appeal the proposed penalty.
“We are disappointed with this notice of intent from the ICO, which we will contest,” Arne Sorenson, Marriott International president and CEO, said in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”
The penalty comes a day after ICO proposed a $230 million fine on British Airways, after a 2018 data breach impacted 500,000 of the airline’s customers.
That fine would be the largest levied by GDPR, surpassing previous penalties such as a fine against Google for $57 million; as well as other ICO penalties including fines for Facebook of $645,000 that stemmed from Cambridge Analytica’s data harvesting practices; and fines for Equifax of $645,000 for the company’s failure to protect 15 million U.K. citizens in a 2017 cyberattack. After GDPR restrictions were enforced (May 2018), the rules allow for maximum penalties of as much as 4 percent of a company’s global turnover.
“Effectively we’ve just crossed the one-year anniversary [of GDPR], and since it’s not a case of individuals being able to bring suit against the companies that were breached, it has to go through the regulatory review process in whatever country the entity has its base of operations in,” Mackey said. “Yesterday was all about British Airways, today is about Marriott… Marriott is not an EU enterprise, it is a global enterprise, and as a result this hammers home the reality that GDPR applies to all organizations regardless of where they’re located… it’s based primarily off of where the breached parties are located, so in this case EU residents.”
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More