Major companies and brands around the world are now on notice: if they fail to have adequate security safeguards in place to protect user data, they could be facing tens of millions of dollars in fines and penalties, thanks to the much more stringent provisions of the European General Data Protection Regulation (GDPR). Case in point: Global hotel brand Marriott International is now facing a $123 million GDPR fine as the result of a major security breach in 2018 that resulted in more than 339 million guest records being exposed to hackers and cyber criminals. The UK Information Commissioner’s Office (ICO) issued the GDPR fine against Marriott in the same week that it levied an even bigger $230 million GDPR fine against British Airways for exposing the payment details and personal information of 500,000 customers.
Details of the Marriott GDPR fine
The size of these GDPR fines is record setting and unprecedented. Until the GDPR went into effect in May 2018, the largest fine that could be levied against a company was 500,000 euro. However, the GDPR specifically provides for the fact that the maximum fine can now be as much as 4 percent of global annual turnover. And in the case of major hospitality brands like Marriott, that number involved in a GDPR fine can be truly massive. The $123 million GDPR fine is approximately 3 percent of the company’s $3.6 billion in global annual revenue, so it’s clear that the British ICO was attempting to make a major statement with the epic size of the GDPR fine. The same logic was at work in the case of British Airways, which was fined approximately 1.5 percent of its global annual turnover.
Jonathan Bensen, CISO of Balbix, comments on the importance of the Marriott case in setting an example for the broader marketplace: “Marriott’s data breach last year stands as one of the largest to occur by number of records exposed behind Yahoo’s 2013 breach of 3 billion records and First American Corp’s breach of 885 million records this year. Companies must rethink their reactive cybersecurity strategies that detect and control breaches in progress or after they happen. At that point, it’s too late. Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems to detect vulnerabilities that could be exploited. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches and avoid fines from data privacy laws.”
According to the UK Information Commissioner, the GDPR has fundamentally changed the rules of the game for companies involved in major security breaches: “The GDPR makes clear that organizations must be accountable for the personal data they hold.” In addition, the UK Information Commissioner noted that companies lacking proper accountability measures would be penalized much more heavily than those that had put into place safeguard measures to protect any data that has been acquired from EU customers. Thus, data protection authorities will assess not only the extent of the cyber hack, but also the types of safeguards put into place previously. This will include carrying out proper due diligence for any acquisitions that involve the personal data of EU citizens.
The one aspect of the Marriott security breach that was most troubling was just how long it took the company to figure out the size and extent of the breach, and then to report it to the relevant authorities. The security breach actually dates back to 2014, prior to the company’s acquisition of Starwood Hotels in 2016. Marriott failed spectacularly when carrying out proper due diligence measures related to the corporate acquisition. Marriott failed to figure out that the Starwood guest reservation database had already been compromised by hackers at the time of the acquisition and also failed to detect the fact that guest records, payment details and even passport information had been accessed by hackers and cyber criminals. And even when Marriott uncovered the data breach in September 2018, it waited until November 2018 to report it to the authorities. This flies in direct contravention of the GDPR, which specifically notes that any security breaches must be reported in a timely manner to any EU data subjects that have been the victim of a breach.
As a result, the size and scope of the Marriott security breach is spectacular. Marriott originally reported that 383 million guest records had been compromised, and then downgraded that figure to 339 million guest records – a figure that includes 30 million records from 31 member countries of the European Economic Area (EEA). The cyber hack also included 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment card numbers, and 385,000 payment card numbers valid at the time of the breach.
A new era for cybersecurity in the wake of the GDPR
It’s clear that there has been a paradigm shift in the world of cybersecurity. Just 18 months ago, companies were seen as helpless victims of criminal attacks stemming from unscrupulous hacker collectives around the world. Today, however, companies are now seen as perpetrators of data loss. Without the right accountability measures to assess the overall cyber risk profile, companies are putting themselves at risk of major new fines. Regulators are unable to go after the hackers, so they are going after the companies responsible for the security breaches.
As Oz Alashe, CEO of CybSafe, points out: “We’re witnessing a sea change in the way companies are penalized for data breaches. With two massive fines announced in the space of one week, the ICO is sending out a clear message as to how it now perceives and reacts to security malpractice. Businesses worldwide will be paying strict attention, if they weren’t already.”
Thus, other companies around the world are now “on notice” that they could be next. The fact that the massive British Airways GDPR fine was followed in quick succession by the Marriott GDPR fine was not coincidental: it was meant to make a major statement about the new power and authority invested in Europe’s data protection regulators. The biggest targets could still be yet to come. That’s because big Silicon Valley tech companies such as Apple, Facebook and Google are still awaiting their fate at the hands of the Irish Data Protection Commission.
If the Irish data protection authorities choose to adopt the same logic as the UK Information Commissioner’s Office, there could be some very dark days ahead for these companies. For example, estimating a future GDPR fine of 4 percent (the maximum) for these companies means that Google could be facing a GDPR fine of $5 billion and Facebook could be facing a GDPR fine of $2.2 billion. Those figures could make the GDPR fines assessed against Marriott International and British Airways look like child’s play.
Long term, a constant series of GDPR fines could start to impact customer perceptions and lead to the erosion of overall brand value. In the hospitality business, it’s easy to see how the loss of customer trust could be disastrous. For example, when choosing where to book a hotel, customers could decide to forego Marriott (and all of its related hotel properties) entirely if they feel that there is any risk that their passport information could be compromised. Likewise, airline passengers have plenty of other choices than British Airways. If customers decide to shift their allegiance and loyalty to another airline, it could have a massive, long-term impact on the company.
Chris DeRamus, CTO and co-founder of DivvyCloud, comments on the changing landscape for cyber security: “We are living in a world where there are hundreds of thousands of threat actors around the globe continuously trying to exploit vulnerabilities. Regardless of how the breach occurs, typically, it’s because of an approach to security that is manual and periodic rather than continuous. Inevitably, that creates a cycle of shifting in and out of compliance, and in and out of true security. The problem is that even a brief lapse in compliance or security opens a window that can be exploited.”
That’s why many security analysts are now warning of a new era in cybersecurity in the wake of the GDPR. The old paradigm was to evaluate a company primarily on the basis of its overall economic performance. The new paradigm, though, is to evaluate a company also on the basis of its overall cybersecurity measures. Customers no longer have tolerance for companies that play fast and loose with their data, or that take on new corporate acquisitions without fully committing to basic due diligence measures. In the new GDPR era, personal data has real value and needs to be properly protected.