UPDATED 21:42 EDT / JULY 09 2019

SECURITY

GDPR bites again: Marriott facing $123.6M fine for 2018 data breach

The U.K.’s Information Commissioner’s Office today announced that it intends to fine hotel chain Marriott International Inc. £99.2 million ($123.6 million) for a data breach in November that exposed the records of some 500 million customers.

The hack had its roots in the Starwood hotels group starting in 2014, two years before it was acquired by Marriott. In a period of four years, customer data of approximately 339 million individual guests were stolen.

That data included name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

The theft of data was not uncovered until late 2018, some two years after Marriott had acquired Starwood. The ICO found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Despite the fact that most of the hacking took place before the introduction of the General Data Protection Regulation, the finding was made under GDPR, which came into force in May 2018.

“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said in a statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Marriott has 28 days to appeal the intent to impose the fine and will do so. Marriott International President and Chief Executive Officer Arne Sorenson said that “we are disappointed with this notice of intent from the ICO, which we will contest.”

Who was behind the hack has never been confirmed, but a report in December suggested that China may have been behind that attack. It appeared to have been designed to collect information for use in Beijing’s espionage efforts, not for financial gain.

The news comes a day after the ICO said that it intended to find British Airways Plc £183.39 million ($230 million) for a data breach involving its systems in 2018.

Chris Kennedy, chief information security officer at security firm AttackIQ Inc., told SiliconANGLE that the breach is another example of a merger in which testing the resiliency of the current security controls would have helped uncover gaps and found that Starwood Hotels was already breached.

“Mergers and acquisitions are one of the riskiest things an enterprise can undertake, and as organizations are evaluating companies for M&A deals, it is imperative the cybersecurity posture and incident history is evaluated,” Kennedy said. “Enterprises risk onboarding a company that already has poor security, or one that is already compromised. In some cases, a company’s IP can be stolen before it is acquired, which could very well be the reason the company is being acquired. Starwood is an example of a company with a poor company network infrastructure that became Marriott’s security problem to deal with.”

Kennedy added that security assessment pre-M&A must become more comprehensive. “It cannot just be a paper drill,” he said. “Continuously validating a potential acquisition’s security will continue to gain popularity during the M&A process so that organizations can avoid the same fate as Marriott.”

Mike Bittner, associate director of digital security and operations at ad verification firm The Media Trust, said in an email that the ICO’s actions in recent cases are a sign of the principles companies will have to follow.

“First, while data is money, insecure data is a huge liability,” he said. “And as they collect and store more data, that liability grows.”

Second, he said, “ill-gotten data will likely prove to be a high price tag for companies as well. Regulators will be issuing significant penalties to companies, not only for inadequate data security, but also for collecting and processing consumer data without consumers’ consent. A company’s compliance with GDPR and other regulations in the horizon will determine how much that company’s worth.”

Photo: europealacarte/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU