On 30 October the ICO published its monetary penalty notice (MPN) against Marriott Hotels - £18.4m. This is the second high value ICO monetary penalty notice since GDPR came into effect,  following the recent MPN against British Airways (a third MPN, against a pharmacy for failure to store records securely, is currently under appeal and was a less-headline grabbing amount).  

What happened

Marriott acquired the Starwood hotels chain, which at the time of acquisition had a hacked IT system. This was compromised in 2014 . Marriott became aware of the data breach in September 2018. During the intervening period personal data such names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

What were the data protection breaches?

The MPN identifies a lack of multi factor authentication and 4 ‘principle failures’. The MPN contains a technical discussion of:  

1) insufficient monitoring of privileged accounts/logging 

2) insufficient monitoring of key databases

3) lack of server hardening/whitelisting/‘defence in depth’; and 

4) a lack of evidenced rationale for why it had not encrypted more. 

The MPN also notes a failure to have regard to NCSC guidance, lack of due diligence of Starwood systems. The MPN also notes deficiencies in the notifications Marriott gave to individuals - a reminder to plan and execute breach responses carefully.  

What to take away

There are a number of parallels between the technical security deficiencies the ICO found in the Marriot Hotels case and the British airways fine - see our post on this here

Both BA and Marriott contested that they did in fact have sufficient security in place to discharge their security responsibilities under data protection law, and over the potential effects of the breaches for individuals.  The lack of a clear standard creates uncertainty for data controllers. Large data controllers in particular (and those processing large amounts of sensitive information) should review the technical findings in both MPNs with their cybersecurity advisors because this demonstrates the standards the ICO expects, and any departure from the core guidance cited in the MPNs should be justified and documented.  The route to how the penalty was calculated, and how the ICO responded to (at times similar) submissions in both cases, is also of interest to data protection specialists.