Marriott faces a $124 million fine for failing to protect customer data. Here is the summary of the news:
- The hotel chain said in a regulatory filing Tuesday that Britain’s Information Commissioner’s Office intends to impose a £99 million ($124 million) fine under the General Data Protection Regulation (GDPR)
- The regulator said that the penalty stems from a Marriott data breach that exposed 339 million guest records globally, including 30 million Europeans. Marriott has said the hack began in 2014 but was only discovered in November 2018, shortly before it reported the breach.
- It’s the second major fine proposed by the regulator this week. On Monday, the ICO said that British Airways (ICAGY) faces a £183.4 million ($230 million) fine after a breach compromised data on 500,000 customers
Another Day, Another #GDPR Fine
World's largest Hotel Chain "Marriott International" Faces $123 Million Fine Over Starwood #DataBreach That Exposed Personal Data of Nearly 339 Million Guestshttps://t.co/c0iRPqxgIY
UK's ICO Recently Also Fined British Airways with £183 Million pic.twitter.com/4n2Fwopnwl
— The Hacker News (@TheHackersNews) July 9, 2019
Experts Comments:
Saryu Nayyar, CEO at Gurucul:
Marriott seriously failed in its responsibility to identify and contain the incident. Other organisations should learn from this breach that new types of cyber defense strategies are required that leverage machine learning. Enterprises need to fight automated cyberattacks with modern technology that can predict, detect and stop abnormal and suspicious activities before data can be exfiltrated.”
Javvad Malik, Security Awareness Advocate at KnowBe4:
While these may seem like large fines, these are in relation to large breaches, and it’s about time that the security of personal information of citizens is given the same level of attention as financial data, if not more.”
Martin Courtney, Principal Analyst at TechMarketView:
The scale of the breaches appears to have had a major bearing on the size of the fines. Personal data belonging to around 500,000 customers was stolen from BA’s website and mobile app whileMarriott’s offence is estimated to involve around 30m European customer records. The cyberattack launched on the hotel chain also targeted a guest reservation database acquired during Marriott’s US$13bn acquisition of Starwood in 2016, highlighting the danger of failing to ensure that the security practices and systems of partner or subsidiary businesses are properly reviewed for compliance.
The penalties could yet be reduced on appeal and fell short of the maximum 4% annual turnover the 2018 DPA now allows – £183m represents around 1.5% of BA’s revenue and £99m is around 3% of Marriott’s by our calculations. But while BA and Marriott are large enough to shoulder any financial burden, the same could not be said for smaller organisations most of which must also comply with the both the DPA and the GDPR. TechMarketView noted a marked increase in data protection related consultancy and advisory activity in 2018. But we have a sneaking feeling that some IT departments may not yet have put in place all the measures they need to demonstrate compliance with the new legislation on an ongoing basis and expect continuing engagements to drive further business this year and next.
Tim Erlin, VP at Tripwire:
First British Airways, and now Marriott. The ICO is sending a clear message that very real fines are going to be the result of GDPR violations. What’s not clear is how the appeals will go. Both BA andMarriott will appeal these intended fines, and while these headlines might grab attention now, we don’t know how much money these organizations will ultimately hand over.
For industry observers, the key question that should be asked is how these organizations could have avoided being fined, even in the face of a breach. There’s no such thing as perfect security, so what specifically is sufficient to comply with GDPR? It would be helpful for everyone if the ICO could provide more instructional feedback for the community. Statements about protecting customer data are good, but they’re not sufficient for educating other organizations on what’s required.”
Dr Darren Williams, Founder and CEO at BlackFog:
“It’s clear that the ICO will not hesitate in taking strong action to protect personal information. Private data does have significant value, and it needs to be protected just like any other valuable asset owned by a company. It is inevitable that cybercriminals are going to get in, which is why businesses must focus on preventing them from getting out. This means monitoring the exfiltration of data in real-time so attackers can be stopped before they get the chance to remove any valuable data.”
Robert Prigge, President at Jumio Corp:
Jake Moore, Cybersecurity Specialist at ESET:
Interestingly, these firms’ attacks were by no means the largest in terms of numbers for 2018. This could, in fact, be the tip of the iceberg of what is to come but let’s hope others are taking copious amounts of notes as to how to handle a breach or better still, evade the attacks as best they can in the first place.”
Jonathan Bensen, CISO at Balbix:
Chris DeRamus, CTO and Co-founder at DivvyCloud:
Chris Kennedy, CISO at AttackIQ:
“The Marriott Starwood breach stands as one of the largest breaches on record and is another example of a merger and acquisition where testing the resiliency of the current security controls would have assisted in both the visibility of gaps and discovery that Starwood Hotels was already breached. Mergers and acquisitions (M&A) are one of the riskiest things an enterprise can undertake, and as organizations are evaluating companies for M&A deals, it is imperative the cybersecurity posture and incident history is evaluated. Enterprises risk onboarding a company that already has poor security, or one that is already compromised. In some cases, a company’s IP can be stolen before it is acquired, which could very well be the reason that company is being acquired. Starwood is an example of a company with poor company network infrastructure that became Marriott’s security problem to deal with.
Security assessment pre- M&A must become more comprehensive and it should be continuously assessed through the onboarding process. It cannot just be a paper drill. Due to the risk associated with M&A, some organizations have been successfully evaluating companies’ security postures through continuous attacker emulation via breach and attack simulation tools. Continuously validating a potential acquisition’s security will continue to gain popularity during the M&A process so that organizations can avoid the same fate as Marriott for example.
Data breaches are already expensive as Ponemon found that the global average cost of a data breach is $3.86 million, however the frequency and cost of suffering one both continue to rise, especially for businesses that expose EU citizens’ data. Companies must now factor in the cost of fines under GDPR and CCPA, the costs of reparations for customers exposed, and litigations that could very well be in the hundreds of millions. For example, yesterday’s news of British Airways being fined $230 million show that EU data watchdogs are cracking down on organizations that have exposed EU citizens’ data. However, damage to a brand’s reputation and a loss of consumer and investor trust is priceless. Customers will boycott a business if they do not believe their data is being secured properly, or if there data has been exposed. This boycott can greatly affect any organization’s bottom line for years to come which can, in the worst-case scenario, lead any company to declare bankruptcy.
The cost of mismanaging security should be a primary board problem as it could but the entire business at risk. Some companies invest in cybersecurity insurance to offset the cost of suffering cyberattacks and data loss, however this is not always enough. Breaches as large as Marriott’s outclass what most cyber-insurers can cover. The key is to employ continuous security validation tools that test enterprises’ portfolio of security tools to detect gaps in security, tools that are overlapping in protection, and other areas of weakness. This will not only allow a company to effectively secure their network, it will allow them to best allocate their cybersecurity investments and even get rid of redundant tools, therefore saving the company money.”
Tim Dunton, MD at Nimbus Hosting:
“Website security must be the biggest concern for businesses who store personal customer information and they have to begin to ensure they are using a secure system to host their websites.”
Justin Coker, VP EMEA at Skybox Security:
“While BA and Marriott have every right to challenge the size of their fines, such a painful levy against such iconic brands should be a landmark catalyst for change and put cyber hygiene and security compliance on every board’s agenda.
“The fine also shines a light on how digital transformation has made the success of every organization — no matter the vertical, public sector or private sector — dependent on securely handling personal data. Baking in cybersecurity across all connected systems to limit attacks is therefore another essential lesson from the breach and the subsequent fine.
“Whether these companies get their fines adjusted or not, BA and Marriott can use the ICO judgement to take the high ground on knowing the value of proactive cybersecurity and how it can be harnessed to foster customer trust in the long term.”
Rufus Grig, CTO at Maintel:
Yet, every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimise the loss of data.
Organisations must use robust IT systems with the latest security systems to tackle this. With the increase in IoT appliances coming onto the now ubiquitous borderless networks, the attraction for hackers to attack will continue to grow, and a priority for security teams will be to reduce the time to detect, contain and mitigate breaches. This is a key strategy given malicious actors are now very skilled in delivering multi-layered attacks using diversion techniques. The only way to go about this is applying emerging technologies like predictive analytics with techniques such as machine learning and modelling as another layer of the already complex security stack. As the saying goes, it’s always better to err on the side of caution.
Businesses can’t promise to stave off every attack, but they can understand how attacks occur, what types of data is at the greatest risk and how to lessen the blow. Whilst Marriott and BA are feeling the heat now, the new data protection laws will give businesses more stringent guidelines to follow, and by planning, identifying and defending vulnerabilities, firms can ensure they are GDPR compliant.
Jake Olcott, VP Government Affairs at BitSight:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.