International hotel line, Marriott and UK’s information department, the Information Commissioner’s Office, is in the middle of a legal tit-and-tat after the ICO has notified the multinational lodging company that the office is imposing fines worth more than £99 million in relation to a data breach that impacted millions of Marriott’s customers last year.
On September 8, 2018, Marriott received information that an alert from an internal security tool was related to an attempt to access the Starwood guest reservation database. The said data breach has affected more than 383 million Marriott customers, including approximately 5.25 million unencrypted passport numbers that were obtained by an unauthorized third party. The information accessed also includes nearly 18.5 million encrypted passport numbers, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million associated with UK residents.
The data copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.
Furthermore, Marriott believes that approximately 9.1 million encrypted payment cards were involved in the incident. Of that number, about 385,000 payment cards were unexpired as of the date the information was accessed.
The Information Commissioner’s Office, UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals, launched an investigation on the said data breach. The investigation found that there was enough negligence from the part of Marriot and Starwood that they imposed a fine amounting to £99,200,396. The regulating body intends to fine the company for infringements of the General Data Protection Regulation (GDPR).
“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” Information Commissioner Elizabeth Denham said.
“Personal data has a real value, so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
But Marriott said that they are challenging the determination of the ICO as they vehemently denied responsibility for the incident and “intend to respond and vigorously defend their position.”
“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database,” said Marriott International’s President and CEO, Arne Sorenson.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”
However, ICO said that Marriott cooperated with their investigation and has made improvements to its security arrangements since the incident became public. They can now make representations to the ICO as to the proposed findings and sanction. But the organization, while open to representations and challenges to its results and determination of sanctions, stands by their decision to impose fine on the company.
“The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings,” they said in a statement.
They also promised to hear out the side of Marriott regarding the intent to impose a fine on them and “will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”