By decision of 30 October 2020, the ICO (i.e., the UK data protection authority) issued an £18.4 million fine on Marriott International Inc for failing to comply with its GDPR security obligation.
This decision stems from a cyber attack on Starwood, a company acquired by Marriot in 2016, notified to the ICO in 2018. The ICO investigation traced the cyber-attack back to 2014. It concerned million of customers’ personal information, including among other their reservation details, payment card details, and passport number.
The ICO considers that Marriot failed to implement:
- Sufficient monitoring of privileged account;
- Sufficient monitoring of databases;
- Sufficient Control of critical systems;
- Full encryption on the passport information contained in the databases, and it lacked explanation on why less sensitive data was not subject to encryption.
In its notice of intent, the ICO initially planned to issue a £99 million fine. However, the amount of the penalty was lower down, taking into consideration Marriott’s representation, mitigating aspects such as the action taken by Marriot following the discovery of the attack and the Covid-19 pandemic.
Because the breach happened before the UK left the EU, the ICO acted as a lead supervisory authority under the GDPR. It entails that the other EU DPA have approved the penalty notice and actions carried out by the ICO through the GDPR cooperation process.
This is the second penalty relating to a cyber-attack that the ICO, acting as a lead supervisory authority, issues, the first one being served on British Airways last month. Therefore, it provides a good insight into the Data Protection Authority’s expectations regarding the level of security to be implemented, in particular, in large organisation or organisation processing a large amount of data.
1. Circumstances of the Attack
Marriot acquired a company named Starwood in September 2016. After the acquisition, the Marriott and Starwood computer systems were kept separate. Therefore, the attack did not involve access to the wider Marriot network.
The attack started on 29 April 2014 when the Attacker installed a web shell on a device within the Starwood network.
The installation of a web shell on the server enabled the Attacker to remotely access the system and install Remote Access Trojans (RATs), a malware enabling remote administrator control of the system. As a result, the Attacker would have had unrestricted access to the relevant device and any other devices on the network to which that administrator account would have had access.
On an undetermined date, the Attacker installed a Mimikatz. This post-exploitation tool scanned the server for all the usernames and passwords temporarily stored in the system memory allowing the Attacker to continue to compromise user accounts.
In April and May 2016, the Attacker may have created three files named “Reservation Room”, “consumption room type” and, “reservation room sharer” on a Starwood device to exfiltrate data contained in tables kept in the system. Marriott’s investigators later found that the Attacker managed to exfiltrate data from four main files named.
On 7 September 2018, The attacker performed a “count” on the “Guest master profile” table so that they knew how many rows the table contained and exported it. The “count” triggered an alert on the Guardium system, a security system run by Accenture, their service provider.
On 10 September 18, the Attacker exported the PP-master table to a “dmp” file on the Starwood system. Following the Guardium alert, Marriott instigated its information security and privacy incident response plan.
At the end of its investigation, Marriott found that the Attacker had exfiltrated the following files:
- Guest master profile table;
- The reservation room share table;
- Consumption room type table;
- PP master table.
2. Discovery and reporting of the breach
On 8 September 2018 Accenture, the company managing the Starwood Guest Reservation Base, contacted the Marriott’s IT team regarding the Guardium alert of the 7 September.
On 12 September 2018 Marriott deployed real-time monitoring and forensic tools on 70,000 legacy Starwood devices.
Between 15 and 17 September, 2018 Marriott identified further unauthorised activity from 7 July 2018 (i.e., use of credential of Accenture employees) and the presence of RAT (i.e., trojan). Marriot took action to contain the RAT.
In early to mid-October 2018, Marriott also identified the Attackers’ use of Mimikatz on several occasions since 2014 as was the memory scraping malware.
Between 13 and 19 November 2018, Marriot identified two compressed and previously deleted files (the guest master file and pp-master). Once it decrypted these files, it appeared that they contained the guest master profile table and the pp master table.
On 22 November 2018, Marriot notified the ICO of the personal data breach
On 25 November 2018, Marriot discovered the file “Reservation room sharer” and “consumption room type” created on a Starwood device.
30 November 2018, Marriot provided a follow-up report to the ICO regarding further personal data breaches. Marriot also issued a press release about the Attack, established a dedicated Starwood incident website. It also began sending a notification to affected data subjects, which contains a link to a dedicated website, including the phone number of the call centre. The ICO requested an update of the email so that it includes the phone number and whose revised version was sent on 9 December 2018.
3.Personal data involved
The Attacker may have obtained personal data in both encrypted and unencrypted forms.
3.1. Unencrypted information
The attacker may have obtained access to the following information:
Guest master profile table: guest ID number, name, gender, date of birth, VIP/not VIP, Starwood loyalty programme membership (or not), mailing address, passport country code, phone number, fax number, email address, and credit card expiration date.
On the reservation room share table: central reservation confirmation number, room ID, guest name, SPG account information, VIP or not, VIP code, 5,25 million unencrypted guest passport number (including 935,000 EEA passport), country of guest passport, arrival time, departure date, address, phone, and fax number, email address, whether the guest has checked in, flight number and airline code, the total number of guest in the room
Consumption room type table: reservation confirmation number, Guest master profile ID, room ID, room type, number of child guests, number of adult guest, number of cribs used in the room, number of roll away beds designed for adults and for children, guest arrival date
PP master table: the decryption key of passport number record. However, Marriott considers that this would not be sufficient to decrypt the passport numbers as a master encryption key is also required.
3.2. Encrypted information
- 18,5 million encrypted passport number 4,29 million of which are EEA passport;
- 9,1 million encrypted payment cards, 873,000 of which are associated with EEA member state records.
Marriott estimates that 339 million guest records were affected, of which 30.1 million were EEA records. All data subjects were affected by the pre and post GDPR attacks. However, the specific personal data involved differed between data subjects
4. Scope of the decision
The ICO does not take into consideration any potential GDPR infringements that occurred between the acquisition of Starwood and the entry into force of the GDPR on 25 May 2018.
The penalty notice concerns only Marriott’s breach of its GDPR obligations.
5. Marriot Failures to comply with its GDPR security obligations
The ICO identified four principal Marriott’s failures to put in place appropriate technical or organisational measures to protect the personal data.
5.1. Insufficient monitoring of privileged account
According to the ICO, the logging of user activity, in particular, privileged users, once within the CDE, would have helped the detection of unusual account activity, in addition to the logging done by the Guardium software.
In this regard, the ICO reminds that the National Cyber Security (NCSC) provides, as part of the 10 steps to cybersecurity guidelines that, “monitoring” is one of the relevant steps. It should include the monitoring of network traffic and user activity.
According to the ICO, it was not sufficient to only implement Multi-Factor Authentication and certain additional security measures. It expected the implementation of multiple layers of security and better monitoring of user activity to aid in the detection of the attack.
Such a step would include the implementation of effective monitoring (including logging) and alerts as part of Marriott’s wider security measures.
5.2. Insufficient monitoring of databases
According to the ICO, Marriott also failed to adequately monitor the databases within the CDE.
In this respect, the Commissioner is concerned by the following three failures:
- Deficiencies in Marriott’s setup of security alerts on databases within the CDE;
- Failure to aggregate logs;
- Failure to log actions taken on the CDE system (e.g., creation of files and the exporting of entire database tables).
The problem was that Marriott did not ensure sufficient logging of key activities such as user activity or actions carried out on a database. Therefore, its incident event management system and its SOC were ineffective.
The ICO also noticed that Marriott did not sufficiently log other areas of its network (e.g., firewall and access logs).
The other problem was that Marriott did not engage in server logging of the creation of files, which allowed the Attacker to export entire databases to “dmp” files undetected.
Furthermore, the fact that Marriott did not detect the Attacker until alerted by Guardium shows that Marriott failure to test, assess, and evaluate the effectiveness of its security measures.
Besides, there was a complete lack of alerts on tables containing personal data other than payment card details, which were encrypted.
5.3. Insufficient control of critical systems
According to the ICO and based on NCSC guidelines, Marriott should have implemented a form of server hardening (e.g., whitelisting) as a preventative measure. It could have prevented the Attacker from gaining access to administrator accounts.
Indeed, Marriott could have implemented whitelisting measures on critical systems and those systems which have access to large amounts of personal data.
The ICO stresses the fact that Marriot could have implemented these measures to the extent necessary without entailing excessive cost or technical difficulties.
5.4. Lack of encryption
Marriot encrypted payment card data, and in some cases, passport numbers, using AES-128.
The Starwood reservation database included tables stored in an Oracle database, which provided the functionality to encrypt table entries in this way. It was Marriott’s responsibility to configure the encryption correctly.
Marriot did not apply encryption to other categories of personal data, and the ICO was particularly concerned that Marriot only encrypted a part of the passport numbers.
The Guidelines does not require to encrypt all personal data but to be able to explain why one chooses to selectively encrypt data.
The ICO withdraw its provisional finding of breach of article 33 GPPR (i.e., notification of the personal data breach to the ICO within 72 hours) considering, following Marriot representation, that it was aware of the personal data breach only from November 2018.
The fact that Accenture was in charge of implementing, maintaining, or managing certain elements of the system does not reduce Marriott’s responsibility for the GDPR breaches identified.
7. An £18 Million Penalty
For the ICO, Marriot was negligent in maintaining systems that suffer from the vulnerabilities and shortcomings identified above.
The ICO considered that given Marriott’s scale and turnover, a penalty of £28 million would be appropriate to reflect the seriousness of the breach. However, taking into consideration the mitigating factors, including the COVID 19 pandemic, the fine has been reduced to £18 million.
For a full reading of the decision, click here.