Marriott International Inc – ICO Monetary Penalty Notice

The ICO decision notice fining Marriott £18.4m for data breaches contains some important points on the technical aspects which gave rise to the breaches and the risks of acquisition of other businesses, in this case Starwood, which may have undiscovered security vulnerabilities.

Multifactor authentication (MFA) issues featured significantly, though these were not taken into account in fixing the penalty due to assurances on which Marriott had relied. Factors considered included insufficient monitoring of privileged accounts, insufficient monitoring of databases, control of critical systems (through whitelisting), and lack of encryption of payment card data and passport numbers.

Marriott’s submission that Article 33 of GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO was rejected: instead, a data controller must be able reasonably to conclude that it is likely a personal data breach has occurred.

See here.

‹ Back to News