UK Levies Second Largest Privacy Fine for Marriott Data Breach
TheU.K. Information Commissioner’s Office (ICO) announced a £18.4 million penalty for the Marriott Data Breach. The sensitive data of millions of Marriott customers was stolen when a cyber attack compromised the company’s website for years. The penalty was issued under the Data Protection Act 2018 for infringements of the General Data Protection Regulation (GDPR).
The Marriott data breach involved over 330 million hotel guests worldwide including several million customer records belonging to citizens of the United Kingdom.
The penalty deals with failures by Marriott regarding the security principle says the UK ICO.
Marriott Data Breach – How it Happened
In November 2018 Marriott International Inc revealed that hackers had compromised the Starwood Hotels guest reservation system. The cyber attack began in 2014 and went undetected until September 2018. The personal information of about 339 million customers was stolen during the prolonged cyber attack.
To compromise the Starwood reservation system, the attackers installed a web shell on a compromised device which gave them the ability to control the device remotely. They installed malware and gained persistent remote access to the compromised network. They then used other cyberattack tools to access and exfiltrate customer data from the hotel reservation system.
Compromised personal data included:
- Email addresses
- Phone numbers
- Unencrypted passport numbers
- Arrival/departure information
- Guest VIP status
- Loyalty program membership number
Although the attack started in 2014, The GDPR are penalty deals with the Marriott data breach from 25 May 2018 under new GDPR rules.
“The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR),” says the U.K. Information Commissioner’s Office.
The UK ICO says the attacker has not been identified.
What is GDPR?
The General Data Protection Regulation, known as GDPR, is a European Union regulation that dictates how personal data is handled. The EU regulation helps protect individual’s information such as name, email address birthdates, ID numbers, and any other personally identifying information used online by organizations. There are provisions for how long data can be stored and the ability for people to demand that all of their data be deleted any time they choose.
Companies found in violation of GDPR can be fined up to four percent of their annual revenue or €20 million.