Marriott GDPR fine highlights need for cyber security due diligence

I’ve been looking into the episode, and what most strikes me is Marriott’s negligence in understanding the cyber security risks of what they were buying.

When Marriott bought Starwood Hotels & Resorts Worldwide for $13.6 billion, they were dealing in data. The acquisition of an impressively large quantity of valuable customer insights looked to be the way towards better loyalty. Marriott also bought a massive security risk which has now, in a way that I find rather ironic, landed them with a hefty $125 million GDPR fine.

The logic behind the Marriott Starwood merger was to create greater loyalty to both hotel chains. Many regular business travellers were inclined to favour one or the other, so by combining the loyalty schemes of both companies, each would gain a deeper understanding of customer behaviour and a stronger proposition in result.

Just days after the deal was announced, Starwood disclosed a security breach. I see a disclosure so early on in the relationship as an indication of two things. Firstly, Starwood’s compromised position. Secondly, Marriott’s failure to undertake sufficient due diligence when they bought Starwood.

This episode is now reaching its culmination, in what is by some estimates one of the most sustained breaches of all-time. I’m sure you’re likely to agree that it’s well ahead of Equifax. 3 days ago, the ICO released a statement outlining their intention to fine Marriott for a cyber incident that began in 2014, when the Starwood systems were compromised. That’s 4 and a half years ago. Marriott acquired Starwood in 2016, but were not aware of the breach until 2018.

The ICO summarised the extent of the breach as such: “A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.”

I find that Information Commissioner Elizabeth Denham captures the importance of due diligence where data privacy is concerned, as well as how important it is to assess security risks when making an acquisition:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

 

What happened?

On 8th September 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott engaged security experts to determine the root cause of the problem, and discovered that there had been unauthorised access to the Starwood network since 2014.

Marriott believes that information on up to approximately 500 million guests has been compromised. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

For some, the information also includes payment card numbers and payment card expiration dates. Even though the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), Marriott has not been able to rule out the possibility that card numbers and expiration dates were taken.

For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

 

What went wrong?

As I see it, the crux of the problem is a huge underestimation of the risk associated with the data Marriott bought, particularly the security risk. The ICO’s investigation found that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.

The massive delay between the breach and Marriott becoming aware of it is a clear indication of a neglectful attitude towards the security issues of the Starwood acquisition.

Cyber security expert, Brian Krebs, has a similar line of thought. He believes that: “The only way a company the size of Marriott can have a breach this big, for this long is that nobody’s looking for it”.

A key learning point from the incident is for organisations to ensure that customer privacy and data security are built in to the core of their products and services with a greater level of care.

One way to achieve this is by using security tools to verify who the user is and whether or not they are authorised to access a particular application or dataset. Keeping employees better informed and trained to identify and respond to digital threats is another way to ensure security is built in to the culture of an organisation. In Marriott’s case, better vendor management would have at least allowed for faster identification of the breach.

The government, of course, have their part to play in data protection. Although punitive, regulations like the GDPR are incentives for organisations to clean up their act and build security and privacy in to their culture.

The attack was state-sponsored, allegedly carried out by the Chinese, which may lessen Marriott’s culpability. Regardless of the attacker, Marriott’s detection and response were not ideal. Having an incident response plan in place would have enabled the clean up to go much more smoothly.

Ray Walsh, a cybersecurity and VPN expert, suggests that the hack was performed by infiltrating systems using a phishing attack – which to me is a fairly elementary technique. Reservation and point of sale systems may have been poorly maintained and staff insufficiently trained to keep up with the ever changing nature of phishing attacks.

 

Business impact

I see that Marriott shares closed down by 5.6 percent, which is (allegedly) their biggest decline since June 2016. Investors are obviously watching for the fallout from the hack.

Financial costs aside, I believe the biggest impact Marriott will face centres around their brand and customer loyalty – which is fairly ironic considering the acquisition of Starwood was all about merging loyalty schemes in the first place.

Will Marriott’s customers still want to commit to the rewards programme? Have Marriott destroyed their relationship with the regular business travellers they paid so much to acquire?

Also, the breach is another grim reminder for me of one of today’s biggest cyber security issues: the coyness of organisations when it comes to disclosing information about breaches and attacks. Of course this is understandable, in part, given the major loss of reputation that is so often the consequence of publicity. But the disclosure of the specifics of a breach will help to improve the security ecosystem and stop the same mistakes from being made again.

 

What does the future look like for Marriott?

The impact of the GDPR fine will hurt, but of course it won’t be completely debilitating.

ICO are still considering their final decision: “Marriott has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”

Marriott are offering guests one year of free access to a service that monitors whether consumer information is being shared:

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center.”

Marriott will continue to work with leading security experts, including the ICO, to improve. They are devoting resources to phase out Starwood systems and accelerate ongoing security enhancements to their network.

In the world of hospitality, an industry that relies on customer loyalty, I believe the episode is likely to prompt many chains and owners to properly consider the risks associated with privacy and security, before they make their next acquisition. And, to take another look at how data is protected across their systems and network.

 

Don’t let cyber security cause you to fall short. Make sure you’ve ticked all of the boxes when it comes to IT security.