Visit Florida
http://admin.travelmole.com/images/stories/2009/images/Marriott Starwood(1).jpg

Published on Friday, October 30, 2020

Marriott fined £18.4m for security breach



The Information Commissioner's Office (ICO) has fined Marriott International Inc £18.4 million for failing to keep millions of customers' personal data secure.





The fine is far less than the £99 million the ICO warned Marriott may have to pay.


Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc.


The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.


The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number.


The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.  


The ICO's investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).


Information Commissioner, Elizabeth Denham, said: "Millions of people's data was affected by Marriott's failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.


"When a business fails to look after customers' data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect."


The ICO's investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 March 2018, when new rules under the GDPR came into effect.


Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR's cooperation process.


How it happened


In 2014, an unknown attacker installed a piece of code known as a `web shell' onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.


This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.


Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.


Which? welcomed the ICO's action, but warned: "Our research earlier this year suggested that Marriott had not learned lessons from previous data breaches and still had serious vulnerabilities on its websites that could leave customers exposed to opportunistic cybercriminals."

Kate Bevan, Editor of Which? Computing, said: "Some people will be frustrated if they've suffered financially and emotionally from this data breach but had no redress.


"The government should provide a much clearer route to this by allowing for an opt-out collective redress regime that deals with mass data breaches."


Paul Cahill, Data Breach Solicitor at Fletchers Data Claims said: "Whilst it might seem that Marriott has had a lucky escape here with their fine having been reduced from £100 million, similarly to BA recently, the ICO's decision to reduce the fine was based upon swift action from Marriott to mitigate the effects of the incident, contacting customers quickly and putting in place a number of retroactive measures to improve the security of its systems.


"This highlights the crucial importance of transparency, clear communication and prompt action from businesses when a breach does occur, to minimise financial and reputational damage."


See also: Marriott International in another data breach

Story Image



Your Comments

, be the first to post a comment.
Your email:






Email other comments made to this story


NOTE: Comments are subject to admin approval before being posted.
Mole Poll
Are any of your clients travelling during the lockdown?
Yes - Business 31.67 %
No 39.44 %
Yes - Leisure 28.89 %

Thank you for your vote



What is GoodtoGo?


Current UK Special Edition



Current US Special Edition



Current Asia/Pacific Special Edition



LATEST 'MOLE VIDEOS

Should the UK have a Cabinet Minister for Tourism ? UKInbound talk to TravelMole

Travelzoo talk about 2021 prospects - what's hot and what's not

The Rocky Mountaineer comes to Colorado

Destination Marketing Campaigns explained by Brightons 'Never Normal' Team

Sri Lanka 2021 - its the place to be

UPCOMING EVENTS
\m 唐人街探案3免费观看,唐人街探案3免费现看全部,唐人街探案3免费国语