The Marriott data breach was one of the worst data security failings ever to hit the hospitality industry. The breaches in data security that let to the pilfering of 5 million unencrypted passport numbers, as well as 8 million credit card records from a reservation system operated by its Starwood subsidiary. Marriott acquired Starwood in 2016 for over $13.5 billion.
Aside from the credit card numbers and the passport details mailing addresses, email addresses and phone numbers were also taken by the hacking group – Magecart – at least that is what many researchers are saying.
The hacker group is accused of using a ‘Remote Access Trojan’ to access the database, monitor activity and potentially gain control of the computer itself.
The data breach is estimated to have affected around 30 million EU residents. It took place in 2014 – but was only discovered by Marriott 4 years later.
The latest findings by the U.K.’s ‘Information Commissioner’s Office’ (ICO) points to enormous failings in due diligence (when it came to I.T. systems) prior to Marriott’s purchase of Starwood. Marriot should have known about the weaknesses of the system and moved to secure it.
The U.K.’s data protection authority was dissatisfied by the conduct of the hotel giant – and Marriott was slapped with a £99 million ($123 million) fine. Marriott immediately issued a statement that confirmed it would be contesting the fine. It could have been (barely) worse for Marriott. The new GDPR rules and regulations in force in the E.U. (and affecting also those who do business with companies in the E.U.) actually gave the ICO the authority to fine the company up to 4% of annual turnover. In fact, the fine levied by the ICO was around 3% of the hotel chain’s revenue.
The Marriot decision is another example of the fairly new ICO flexing its muscles – and a warning to companies that GDPR has teeth and that data security issues need to be addressed as a matter of urgency. In the first half of July 2019, the ICO fined British Airways $230 million for a data breach that affected around 500,000 customers. That data breach happened during August and September 2018.
Data security professionals, consultants and regulators having been asking companies a variety of uncomfortable questions. Many of these revolve around the slow pace of companies like Marriott to set in place proper data management protocols and procedures that would go some way to enhancing the security posture of these companies – and make the job of hackers slightly more challenging.
It is clear that the ICO is determined to send a clear message to business. The organization’s that act as custodians of large amounts of consumer data need to display far more vigilance when it comes to protecting that data. The twin blows of loss of consumer confidence when a data breach occurs and the effect of significant fines will make even the most stubborn (and penny-pinching) of C-Suite executives have a long hard think about just how they will be adding to the layers of security that protect customer data. Those who ignore this responsibility (such as was the case in the Marriott data breach) will feel the wrath of regulation in the E.U.