ICO - Monetary Penalty on Marriott International Inc.

From GDPRhub
Revision as of 17:30, 5 November 2020 by 5.171.123.70 (talk) (added link to article 5(1)(f))
ICO - ICO - Monetary Penalty on Marriott International Inc.
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 30.09.2020
Published: 30.10.2020
Fine: 18400000 GBP
Parties: n/a
National Case Number/Name: ICO - Monetary Penalty on Marriott International Inc.
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: Edda Pernice

The Information Commissioner’s Officer (ICO) imposed a fine of GBP 18.4 million on Marriott International Inc (“Marriott”) for failing to ensure appropriate security when processing its costumers’ personal data, thus violating Article 5(1)(f) and Article 32 GDPR. Investigation began following notification of an attack on Marriott’s IT systems that took place over a period of time that includes May 2018 (when the GDPR came into force) to September 2018 . As a result, the attacker(s) had access to vast amounts of costumers’ personal data: Marriot estimated that they accessed 339 million guest records, with 30.1 million being EEA members’ records and 7 million being associated with the UK.

English Summary

Facts

Starwood Hotels and Resorts Worldwide Inc’s (“Starwood”) IT system were first compromised by unknown attackers in 2014. Marriot subsequently acquired Starwood in 2016, but did not detect this attack at any time between that moment and September 2018. Therefore, between 2014 and 2018, the attackers had access to Starwood’s systems through use of Remote Access Trojan malware, and kept extracting Starwood databases. Marriott became aware of potential attacks following an alert from a system applied to one of its most confidential databases on September 2018. After that Marriot found malware installed and proof that databases had been extracted over the years, so they promptly notified both the ICO and relevant data subjects of the breach. The ICO found that the attackers had obtained unencrypted personal data of the likes of: passport numbers, identifying information of the costumers such as name, date of birth and gender, plus credit card details in encrypted form.

Dispute

Holding

Although the ICO and the relevant victims were notified promptly of the breach, the ICO found that there were many failures in placing the technical and organizational measures to safeguard personal data in Marriott’s system as required under Article 5(1)(f) and Article 32 GDPR. Marriott’s shortcomings, as outlined by the ICO, were the following: insufficient monitoring of privileged accounts and their user activity, insufficient monitoring of databases, poor control of critical systems and systems that have access to large amounts of personal data, and the fact that only certain type of sensitive data was encrypted (e.g. credit card numbers) but not all (e.g. many passport numbers). The ICO fined Marriott in line of Article 83 GDPR but also took into account mitigating factors such as the efforts that Marriott made to inform and help the victims of the breach, the $19 million investment it made on security the following year and the financial impacts of the Covid-19 pandemic, lowering the final amount of the fine from £24 million to £18.4 million.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.