Penalty is 82% lower than was originally intended
The Information Commissioner’s Office has fined Hotel chain Marriott International £18.4m over a cyberattack that went undetected for four years and may have compromised as many as 339 million guest records.
It is the second time in the space of two weeks that the regulator has imposed a multimillion-pound penalty, after British Airways was slapped with a record £20m fine earlier this month.
In both cases, however, the punishments were greatly reduced from what was originally intended; in July 2019, the ICO announced that it planned to fine Marriott £99m.
The £18.4m penalty that has, ultimately, been imposed marks an 82% reduction.
In BA’s case the intended levy of £183m represented an 89% decrease.
For both companies, the regulator said it had reduced the fines after listening to their representations during the appeal process and considering “the economic impact of Covid-19 on their business”.
Announcing the Marriott penalty, information commissioner Elizabeth Denham said: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The hotel chain said that it would appeal the £18.4m fine – but that it “makes no admission of liability in relation to the decision or the underlying allegations”.
“As the ICO acknowledges, Marriott cooperated fully throughout the investigation,” the company added. “Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems, as the ICO recognizes. The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
The attack in question was launched in 2014 by an unknown attacker, according to the ICO. The target was Starwood Hotels and Resorts – a company that went on to be acquired by Marriott in 2016.
“[The] attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely,” the regulator said. “This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.
“Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.”
The attack was not detected until September 2018 – four months after the EU General Data Protection Regulation came into effect – and the ICO was notified shortly thereafter. Marriott has estimated that approximately 339 million guest records were impacted by the attack.
The £18.4m fine imposed on the hotel chain is not only much reduced from the originally intended figure, it is also a long way short of the maximum permissible penalty under GDPR and the new UK Data Protection Act.
Prior to 2018, the maximum penalty available to the ICO was £500,000 across the board. But the new statutes have given the watchdog the power to penalise breaches of data-protection law with fines of about £18m or 4% of the global turnover of the organisation in question – whichever figure is greater.
For Marriott, which turned over $21bn in 2019, this could have meant a penalty of up to £650m.