In 2014, hotel chain Marriott fell victim to a data breach impacting the Starwood resort chain acquired by the group in 2015.
Threat actors gained the ability to infiltrate Starwood’s systems and execute malware through a web shell, which included remote access tools and credential harvesting software. This allowed attackers in question to access databases storing guest reservation information from names, email addresses and contact numbers to passport numbers and travel details. They were also accessing loyalty program info.
This chain of breach continued into 2018 over the course of 4 years with a reported theft of over 339 million guests to the chain, exposing seven million records of UK customers.
Marriott has now been fined an overall fine of £18.4 million by the ICO in response to the 2014 breach, which is in itself a heavy reduction from the penalty originally planned due to COVID-19 disruption.
By failing to meet the security standards required under GDPR, the chain failed to put appropriate measures of technical and organizational stature in place when processing data. Despite the Marriott group’s quick response to contact customers and the ICO upon discovery of the incident to mitigate the damage risk, the company was found to have contravened data protection requirements in enforcement since the regulation of GDPR.
Shockwaves Throughout 2020
Marriott and other rival chains such as Hilton have faced the force of job slashing as well as travel, business and holiday plan cancelations throughout the pandemic.
When Marriott posted its first quarterly loss in almost a decade, it was expecting a cash burn of $85m per month in 2020.
With current struggles and recent security improvements to Marriotts systems in mind, the ICO issued a fine drastically reduced from the original amount of over £99m in penalty for GDPR violations. I talks with the Marriott chain, the ICO revised the figure based on economic damage due to the coronavirus as well as current improvements to security since the incident.
With thousands of customers contacting the helpline from people affected by the data theft and millions of records affected, others may have taken action to protect their personal information away from the company that was entrusted with it. This had lead to a breach of trust from consumers with the hotel chain to protect their information.
Last month British Airways was fined £20m by the ICO as a result of cyber criminals stealing 400,000 records of customers to the airline.
The airline’s measures to protect customers was labelled unacceptable for its security inadequacies which gave hackers access to personal data, including a total lack of cybersecurity audits, lax access controls and little to no use of two-factor authentication.
BA’s fine is the largest fine to date for the ICO, which would have been higher if not for recent improvements to security as well as economic impact from COVID-19.