Marriott faces a $124 million fine for failing to protect customer data. Here is the summary of the news:
- The hotel chain said in a regulatory filing Tuesday that Britain’s Information Commissioner’s Office intends to impose a £99 million ($124 million) fine under the General Data Protection Regulation (GDPR)
- The regulator said that the penalty stems from a Marriott data breach that exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach.
- It’s the second major fine proposed by the regulator this week. On Monday, the ICO said that British Airways (ICAGY) faces a £183.4 million ($230 million) fine after a breach compromised data on 500,000 customers
Another Day, Another #GDPR Fine
World's largest Hotel Chain "Marriott International" Faces $123 Million Fine Over Starwood #DataBreach That Exposed Personal Data of Nearly 339 Million Guestshttps://t.co/c0iRPqxgIY
UK's ICO Recently Also Fined British Airways with £183 Million pic.twitter.com/4n2Fwopnwl
— The Hacker News (@TheHackersNews) July 9, 2019
Experts Comments:
Saryu Nayyar, CEO at Gurucul:
“The size and scope of the Starwood data breach makes it the most severe such incident in 2018. According to the company’s own statements the attackers had “unauthorized access” to key systems with sensitive data.
Marriott seriously failed in its responsibility to identify and contain the incident. Other organisations should learn from this breach that new types of cyber defense strategies are required that leverage machine learning. Enterprises need to fight automated cyberattacks with modern technology that can predict, detect and stop abnormal and suspicious activities before data can be exfiltrated.”
Javvad Malik, Security Awareness Advocate at KnowBe4:
“After handing out a £183m fine to British Airways, it appears as if the ICO is gearing up to unleash the full might of its GDPR-enhanced power, this time on Marriott for breaching 30 million Europeans data.
While these may seem like large fines, these are in relation to large breaches, and it’s about time that the security of personal information of citizens is given the same level of attention as financial data, if not more.”
Martin Courtney, Principal Analyst at TechMarketView:
It was just a matter of time before the UK Information Commissioners Office (ICO) began to demonstrate the power that the new 2018 Data Protection Act introduced to mirror the GDPR allows it to wield. The hefty fines served on two high profile corporates – British Airways (£183m) and Marriott (£99m) – are warning shots to other UK businesses that may not have fully implemented the processes and systems needed to properly the protect the sensitive data of EU citizens.
The scale of the breaches appears to have had a major bearing on the size of the fines. Personal data belonging to around 500,000 customers was stolen from BA’s website and mobile app whileMarriott’s offence is estimated to involve around 30m European customer records. The cyberattack launched on the hotel chain also targeted a guest reservation database acquired during Marriott’s US$13bn acquisition of Starwood in 2016, highlighting the danger of failing to ensure that the security practices and systems of partner or subsidiary businesses are properly reviewed for compliance.
The penalties could yet be reduced on appeal and fell short of the maximum 4% annual turnover the 2018 DPA now allows – £183m represents around 1.5% of BA’s revenue and £99m is around 3% of Marriott’s by our calculations. But while BA and Marriott are large enough to shoulder any financial burden, the same could not be said for smaller organisations most of which must also comply with the both the DPA and the GDPR. TechMarketView noted a marked increase in data protection related consultancy and advisory activity in 2018. But we have a sneaking feeling that some IT departments may not yet have put in place all the measures they need to demonstrate compliance with the new legislation on an ongoing basis and expect continuing engagements to drive further business this year and next.
Tim Erlin, VP at Tripwire:
“I guess it’s time to review the list of breaches from 2018 and start taking bets on more GDPR fines.
First British Airways, and now Marriott. The ICO is sending a clear message that very real fines are going to be the result of GDPR violations. What’s not clear is how the appeals will go. Both BA andMarriott will appeal these intended fines, and while these headlines might grab attention now, we don’t know how much money these organizations will ultimately hand over.
For industry observers, the key question that should be asked is how these organizations could have avoided being fined, even in the face of a breach. There’s no such thing as perfect security, so what specifically is sufficient to comply with GDPR? It would be helpful for everyone if the ICO could provide more instructional feedback for the community. Statements about protecting customer data are good, but they’re not sufficient for educating other organizations on what’s required.”
Dr Darren Williams, Founder and CEO at BlackFog:
“With the second proposed fine this week, the ICO is certainly sending the message that companies must make data privacy their biggest priority. As Marriott International faces a whopping £99 million fine, all businesses across the EU need to be thinking seriously about the customer data they hold, and how secure their cybersecurity solutions are.
“It’s clear that the ICO will not hesitate in taking strong action to protect personal information. Private data does have significant value, and it needs to be protected just like any other valuable asset owned by a company. It is inevitable that cybercriminals are going to get in, which is why businesses must focus on preventing them from getting out. This means monitoring the exfiltration of data in real-time so attackers can be stopped before they get the chance to remove any valuable data.”
Robert Prigge, President at Jumio Corp:
“The regulators are trying to set a clear example going after the big data controllers — Marriott Hotels and British Airways. Undoubtedly, there will be plenty of finger wagging, but what other UK enterprises should be thinking about is “what if.” What if the regulators decide to go after smaller fish? What if the regulators decide to prosecute the data processors — those third parties that manage personal data — of the big data controllers. Organisations need to think about protecting, really protecting, the digital identities of their users and, in many cases, that will require a complete rethink.”
Jake Moore, Cybersecurity Specialist at ESET:
“Well the snowball has surely started to gain momentum now and this just highlights that it’s not just UK companies at risk of eye-watering fines either. Other firms who suffered from large beaches post-May 25, 2018 better start saving because the ICO clearly means business.
Interestingly, these firms’ attacks were by no means the largest in terms of numbers for 2018. This could, in fact, be the tip of the iceberg of what is to come but let’s hope others are taking copious amounts of notes as to how to handle a breach or better still, evade the attacks as best they can in the first place.”
Jonathan Bensen, CISO at Balbix:
“Marriott’s data breach last year stands as one of the largest to occur by number of records exposed behind Yahoo’s 2013 breach of 3 billion records and First American Corp’s breach of 885 million records this year. Companies must rethink their reactive cybersecurity strategies that detect and control breaches in progress or after they happen. At that point, it’s too late. Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems to detect vulnerabilities that could be exploited. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches and avoid fines from data privacy laws. Yesterday, British Airways was fined $230 million for its breach of 500,000 customers’ credit card information and it will be interesting to see what other companies will be issued fines in the near future as well.”
Chris DeRamus, CTO and Co-founder at DivvyCloud:
“We are living in a world where there are hundreds of thousands of threat actors around the globe continuously trying to exploit vulnerabilities. Regardless of how the breach occurs, typically, it’s because of an approach to security that is manual and periodic rather than continuous. Inevitably, that creates a cycle of shifting in and out of compliance, and in and out of true security. The problem is that even a brief lapse in compliance/security opens a window that can be exploited. According to a recent survey by PwC on consumer trust, 87 percent of consumers will take their business elsewhere if they do not trust a company is handling their data responsibly. When organizations don’t achieve continuous compliance and security through monitoring and automated remediation, then it’s only a matter of time before they join a growing list of companies that lose customers due to data breaches and see their bottom line negatively impacted.”
Chris Kennedy, CISO at AttackIQ:
“The Marriott Starwood breach stands as one of the largest breaches on record and is another example of a merger and acquisition where testing the resiliency of the current security controls would have assisted in both the visibility of gaps and discovery that Starwood Hotels was already breached. Mergers and acquisitions (M&A) are one of the riskiest things an enterprise can undertake, and as organizations are evaluating companies for M&A deals, it is imperative the cybersecurity posture and incident history is evaluated. Enterprises risk onboarding a company that already has poor security, or one that is already compromised. In some cases, a company’s IP can be stolen before it is acquired, which could very well be the reason that company is being acquired. Starwood is an example of a company with poor company network infrastructure that became Marriott’s security problem to deal with.
Security assessment pre- M&A must become more comprehensive and it should be continuously assessed through the onboarding process. It cannot just be a paper drill. Due to the risk associated with M&A, some organizations have been successfully evaluating companies’ security postures through continuous attacker emulation via breach and attack simulation tools. Continuously validating a potential acquisition’s security will continue to gain popularity during the M&A process so that organizations can avoid the same fate as Marriott for example.
Data breaches are already expensive as Ponemon found that the global average cost of a data breach is $3.86 million, however the frequency and cost of suffering one both continue to rise, especially for businesses that expose EU citizens’ data. Companies must now factor in the cost of fines under GDPR and CCPA, the costs of reparations for customers exposed, and litigations that could very well be in the hundreds of millions. For example, yesterday’s news of British Airways being fined $230 million show that EU data watchdogs are cracking down on organizations that have exposed EU citizens’ data. However, damage to a brand’s reputation and a loss of consumer and investor trust is priceless. Customers will boycott a business if they do not believe their data is being secured properly, or if there data has been exposed. This boycott can greatly affect any organization’s bottom line for years to come which can, in the worst-case scenario, lead any company to declare bankruptcy.
The cost of mismanaging security should be a primary board problem as it could but the entire business at risk. Some companies invest in cybersecurity insurance to offset the cost of suffering cyberattacks and data loss, however this is not always enough. Breaches as large as Marriott’s outclass what most cyber-insurers can cover. The key is to employ continuous security validation tools that test enterprises’ portfolio of security tools to detect gaps in security, tools that are overlapping in protection, and other areas of weakness. This will not only allow a company to effectively secure their network, it will allow them to best allocate their cybersecurity investments and even get rid of redundant tools, therefore saving the company money.”
Tim Dunton, MD at Nimbus Hosting:
“Two monumental fines over the course of two days for breaking GDPR guidelines shows the ICO are really starting to take these breaches of security seriously – as they should be. Businesses must begin to understand the power they have when collecting and storing customer data and must face severe consequences when they fail to properly secure this.
“Website security must be the biggest concern for businesses who store personal customer information and they have to begin to ensure they are using a secure system to host their websites.”
Justin Coker, VP EMEA at Skybox Security:
“Some commentators would agree that today’s $124 million fine imposed by the ICO on Marriott, and the BA penalty announced yesterday are extremely high. Until this and BA’s, none of the ICO fines have topped the £500,000 mark, which was the previous limit under the Data Protection Act 1998. A bigger penalty does seem to be sending a message to any firms operating in the UK which are lingering in cybersecurity complacency.
“While BA and Marriott have every right to challenge the size of their fines, such a painful levy against such iconic brands should be a landmark catalyst for change and put cyber hygiene and security compliance on every board’s agenda.
“The fine also shines a light on how digital transformation has made the success of every organization — no matter the vertical, public sector or private sector — dependent on securely handling personal data. Baking in cybersecurity across all connected systems to limit attacks is therefore another essential lesson from the breach and the subsequent fine.
“Whether these companies get their fines adjusted or not, BA and Marriott can use the ICO judgement to take the high ground on knowing the value of proactive cybersecurity and how it can be harnessed to foster customer trust in the long term.”
Rufus Grig, CTO at Maintel:
Organisations like Marriott and BA are strong targets for cyber criminals because they possess vast amounts of high-value personal data that gives hackers high return on investment.
Yet, every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimise the loss of data.
Organisations must use robust IT systems with the latest security systems to tackle this. With the increase in IoT appliances coming onto the now ubiquitous borderless networks, the attraction for hackers to attack will continue to grow, and a priority for security teams will be to reduce the time to detect, contain and mitigate breaches. This is a key strategy given malicious actors are now very skilled in delivering multi-layered attacks using diversion techniques. The only way to go about this is applying emerging technologies like predictive analytics with techniques such as machine learning and modelling as another layer of the already complex security stack. As the saying goes, it’s always better to err on the side of caution.
Businesses can’t promise to stave off every attack, but they can understand how attacks occur, what types of data is at the greatest risk and how to lessen the blow. Whilst Marriott and BA are feeling the heat now, the new data protection laws will give businesses more stringent guidelines to follow, and by planning, identifying and defending vulnerabilities, firms can ensure they are GDPR compliant.
Jake Olcott, VP Government Affairs at BitSight:
“These fines make it clear — executives and boards are responsible and accountable for cybersecurity. It has never been more important for them to understand and manage their organisation’s security performance just like they would manage any other critical business issue. When it comes to cybersecurity, ongoing briefings, regular reporting, and performance metrics are no longer nice to have — they are required.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.