The ICO decision notice fining Marriott £18.4m for data breaches contains some important points on the technical aspects which gave rise to the breaches and the risks of acquisition of other businesses, in this case Starwood, which may have undiscovered security vulnerabilities.
Multifactor authentication (MFA) issues featured significantly, though these were not taken into account in fixing the penalty due to assurances on which Marriott had relied. Factors considered included insufficient monitoring of privileged accounts, insufficient monitoring of databases, control of critical systems (through whitelisting), and lack of encryption of payment card data and passport numbers.
Marriott’s submission that Article 33 of GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO was rejected: instead, a data controller must be able reasonably to conclude that it is likely a personal data breach has occurred.
Judgment on lawfulness of sharing of sensitive personal data relating to a 16 year old child, including bail conditions, under an information-sharing agreement between the police and a local business crime reduction partnership. The decision also determined that the parties to the agreement were joint controllers of the data, rather than controller and processor respectively, and held that the defendant had implemented ‘appropriate technical and organisational measures’ by using a secure intranet, which was encrypted and password protected.