Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).
Information Commissioner, Elizabeth Denham, said:
”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.
Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.
Details of the cyber attack
In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.
This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.
Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.
- The GDPR sets out six basic principles organisations must comply with in processing personal data. These are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security; accountability. This penalty deals with failures by Marriott regarding the security principle.
- The ICO’s investigation involved various exchanges with Marriott and considered detailed submissions and evidence. The penalty process involved issuing Marriott with a Notice of Intent in July 2019, indicating an intention to impose a penalty and offering them the chance to submit representations.
- Marriott announced the Notice of Intent to the US Securities and Exchange Commission and the ICO responded with a statement.
- The ICO applied the legislative framework in conjunction with the ICO’s Regulatory Action Policy, which states that "before issuing fines we take into account economic impact and affordability". The RAP is currently under review as part of the ICO’s consultation on its Statutory Guidance.
- Where, as here, the processing in issue is cross-border, Article 56 of the GDPR makes provision for the designation of a lead supervisory authority. In this case, the ICO acted as the lead supervisory authority.
- The ICO completed the Article 60 process prior to the issuing of the penalty. Article 60 of the GDPR provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. This includes submitting a draft decision to the other supervisory authorities concerned for their opinion and taking due account of their views.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.