Marriott International has been fined the equivalent of $34 million by the U.K. Information Commissioner for failing to keep the personal data of over 300 million customers secure. That’s a drop from the initially proposed fine of about $170 million.
”Personal data is precious and businesses have to look after it,” Commissioner Elizabeth Denham said in a release today. “Millions of people’s data were affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
The Information Commissioner’s Office (ICO) traced the cyber-attack back to 2014, but the penalty only relates to the breach from May 25, 2018, when new rules under Europe’s General Data Protection Regulation (GDPR) came into effect.
Marriott estimates that 339 million guest records worldwide were affected following a cyberattack in 2014 on Starwood Hotels and Resorts Worldwide Inc. However, the exact number of people affected isn’t clear because there may have been multiple records for individuals. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.
The report doesn’t detail how, but in 2014, an unknown attacker installed a web shell onto a device in the Starwood system, giving them the ability to access and edit the contents of this device remotely.
Malware was then installed enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.
More tools were installed by the attacker to gather login credentials for additional users within the Starwood network, said the report. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
The ICO acknowledged that Marriott acted promptly to contact customers. It also acted quickly to mitigate the risk of damage suffered by customers and has since instigated a number of measures to improve the security of its systems.
Meanwhile in March, Marriott admitted a new hack had been discovered. The chain said it was notifying some 5.2 million guests who stayed at its hotels in several countries, including Canada, the U.S., the U.K., that they were victims of the breach.