The 2018 Marriott data breach was one of the biggest of its type in history, and the hotel chain was initially looking at receiving one of the biggest fines as well. After nearly two years of legal and regulatory wrangling, the UK ICO has substantially reduced the penalty. At £18.4 million it will still land comfortably within the top 10 of all GDPR fines to date, but drops considerably from the £99 million that was initially proposed.
UK ICO backs off of second-largest fine amount
The Marriott data breach made the news in late 2018, but dates back to 2014. The announcement came after the chain had acquired the Starwood family of hotels and resorts (which includes brands such as Sheraton and Westin), making it the largest hotel company in the world. The Starwood guest reservation system was breached at some point in 2014 and went unnoticed until September 2018, allowing the attackers to siphon off the personal information of some 383 million Starwood customers during that period of time. This was followed by a second breach of the Starwood loyalty program system, which impacted about 5.2 million of the chain’s customers.
The number of user records and the length of time of the Marriott data breach is eye-popping, but the majority of those guests did not have sensitive personal information stolen from the system. Still, the estimated total damage was extremely troubling. The company lost 20 million encrypted passport numbers, 5.2 million unencrypted passport numbers, and 8.6 million credit card numbers (though only about 354,000 of these were still active and unexpired as of late 2018). Most of the information that was leaked was tied to the Starwoods VIP status and loyalty program profiles: email and home addresses, phone numbers, dates of birth, dates of hotel stays and airline loyalty program numbers.
The UK ICO issued a statement of intent to fine Marriott in July 2019, initially proposing a penalty of at least £99 million. UK ICO found that Marriott had failed to do due diligence during its 2016 acquisition of Starwood and that it generally had insufficient security in place as required by the terms of the GDPR. The regulator rejected an argument from Marriott that the sophistication of the attack should be taken into account and that the majority of the breach window was prior to the GDPR going into effect, pointing out that the hotel chain lacked fundamental server hardening measures (such as a whitelisting system) and was hosting a great deal of unencrypted personal information.
In a statement about the overall impact of the Marriott data breach, UK ICO information commissioner Elizabeth Denham said: “Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
That proposed fine amount will nevertheless be cut down to less than 1/5 the original tally. UK ICO reportedly considered “economic impact and affordability” in reducing the fine, something that is permitted by the Regulatory Action Policy. It is reasonable to speculate that the deep hit to the travel industry caused by the prolonged Covid-19 pandemic was of major help to Marriott here; the company posted a larger-than-expected loss in August with a quarterly drop in revenue of 72.4%. While the hotel giant says that occupancy rates have been increasing since September, it projects that it will not return to pre-Covid revenue levels for about three years. The company has also laid off hundreds of workers at its headquarters in Maryland in recent months.
The fine amount will be about 0.6% of Marriott’s annual revenue; the original amount would have been about 3%, with the GDPR allowing for up to 4% in serious cases such as this with millions of impacted customers. UK ICO said that it also considered Marriott’s efforts to mitigate the damage in addition to the blow it took from the pandemic. Marriott says that it has revamped its internal systems, created a dedicated website to explain the potential breach consequences to consumers, and emailed millions of guests with an offer of free credit monitoring. The company has also not yet indicated that it plans to appeal the reduced fine amount.
Marriott data breach continues trend of relatively small GDPR fines
While the GDPR provides for substantial maximum fines, regulators have thus far appeared very hesitant to apply them. The Marriott data breach is another example in a seeming trend of relatively minimal fines for serious incidents that compromise the personal information of very large groups of people.
As Ilia Kolochenko, Founder & CEO of ImmuniWeb, observes: “This present (Marriott data breach) … may disincentivize some organizations, hit by the spiralling pandemic, in investing in cybersecurity and data protection. We already observe some industries freeing their cybersecurity budgets and laying off security personnel. Such “savings” may result in disastrous data breaches, harsh financial penalties by several state agencies, and trigger multi-million lawsuits and class actions from the victims … I respectfully disagree with some experts who say that GDPR becomes toothless, but the signal is clear – the application of penalties under GDPR may, and likely will depend on the financial conditions of a breached company. This makes a lot of sense but may eventually diminish or even nullify the deterring purpose of GDPR.”
The Marriott data breach ruling does raise the concern that the pandemic, which looks to stretch on well into 2021 at this point, may be used by companies as a justification for a reduced cybersecurity posture — at least in terms of protecting customer information. There is now evidence that a pandemic hardship case plus a basically competent mop-up effort after the fact will lead to this outcome, at least if the UK ICO is making the determination.