ICO - Monetary Penalty on Marriott International Inc.
ICO - Monetary Penalty on Marriott International Inc. Authority: ICO (UK) Jurisdiction: United Kingdom Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPRType: Investigation Outcome: Violation Found Started: Decided: 30.09.2020 Published: 30.10.2020 Fine: 18400000 GBP Parties: n/a National Case Number/Name: Monetary Penalty on Marriott International Inc. European Case Law Identifier: n/a Appeal: Unknown
Original Language(s): English Original Source: Information Commissioner's Office (in EN) Initial Contributor: Edda Pernice The Information Commissioner’s Officer (ICO) imposed a fine of GBP 18.4 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing its costumers’ personal data, thus violating Article 5(1)(f) and Article 32 GDPR.
Investigations began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK.
English Summary
Facts
Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form.
Dispute
Holding
Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of Article 83 GDPR but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.