A Failure to Learn the Lesson?

Fresh Data Breach Heartbreak for Marriott Hotel Group
In December 2018, Marriott International disclosed a breach which had impacted some 383 million guest records. Industry specialists at the time viewed the data failure as a key example of the risks inherent in mergers and acquisitions. The worldword hotel chain had, without their knowledge, inherited a pre-existing security flaw from Starwood Hotels and Resorts when it absorbed that group in 2016. Subsequent investigation indicated that the Starwood server had been compromised as early 2014.
That data breach led to a $124 million ($155 million) fine from the UK’s Information Commissioner’s Office acting under GDPR. The fine was justified by Marriott’s failure in its exercise of due diligence in the inspection of its newly acquired technology stack.
Following that incident, Marriott’s president and chief executive Arne Sorenson told clients that, “We deeply regret this incident, … We fell short of what our guests deserve and what we expect of ourselves.”
Unfortunately for Marriott International, the company finds itself offering its apologies for a further data breach less than 18 months later.
In a statement on the 31st of March 2020, the hotel giant acknowledged that due to activity which began in mid-January of the same year, approximately 5.2 million guests’ financial information has been compromised.
The new breach impacted a guest services application used by numerous hotels operated and franchised under the various brands of the Marriott group.
On this occasion, the client information exposed includes the following:
-Dates of birth
-Full names
-Postal addresses
-Loyalty card information (e.g. frequent flyer miles balances with partner airlines)
It has already been suggested that under the California Consumer Privacy Act (often referred to as the “GDPR lite”), Marriott could be facing a fine of $750 for each data subject concerned by that piece of legislation.
Obviously, from a PR perspective, this is nothing short of disastrous for a multinational company that suffered such a huge data breach in very recent memory. The fact that the breach seems to have started in the middle of January but wasn’t detected and dealt with until the end of February is an additional concern. The process of notifying the customers whose data was revealed did not begin for a further month.
Coming so soon before COVID-19 brought the world economy, and in particular the travel and hotelier industry, to a standstill, the timing of the latest breach is the salt in Marriott’s wound. Thousands of Marriott employees have been furloughed, hotels have been temporarily closed, and its stock shares have taken a hit as part of a global downturn.
Lightning strikes twice
The question on the lips of many observers is, somewhat understandably, ‘How on earth could Marriott have allowed this to happen so soon after being on the receiving end of a $155,000,000 fine?’
The recent data breach was the result of a malicious hack which involved wrongdoers gaining access to the hotel chain’s database through the use of two employees’ login information. Human error, therefore, is perhaps more to blame than that the technology employed by Marriott International.
Data theft is becoming an increasingly common crime. Data stolen on this occasion could prove to be very valuable should it make its way into the wrong hands.
It is of course foolish to speculate on the exact circumstances of the role of the staff members without being privy to all of the facts, but it is clear that prudent data processors should take heed of the difficulty in which Marriott currently finds itself. Compliance with GDPR or CCPA is not just a question of using the correct IT system or even having a knowledgeable and competent Data Protection Officer in place; it is also essential to provide adequate training (and regular retraining) of employees involved in any stage of the data handling hierarchy about cybersecurity protocols.
Process in cybersecurity is Key
An essential part of cybersecurity for any datahandler or processor is to have the correct processes in place. The basics are to have the ability to identify data breaches as quickly as possible, to take measures to halt them and to report them to the authorities in accordance with legislation.
Although the two breaches are different in nature, it seems that Marriott did not ‘learn its lesson’ so to speak following the 2018 case. While Marriott certainly invested in cybersecurity technology and reinforced its defenses in the aftermath of its enormous fine, it does appear that perhaps some issues with respect to employee knowledge or training were overlooked.
In March 2020, Virgin Media Ltd revealed that it had suffered a data breach which could cost them up to $5.5 billion. The internet and TV supplier stated that the problem was caused by simple employee negligence. A very costly error indeed.

The scale of the potential financial costs, and the related reputational damage resulting from such breaches, should serve as stark warning to all companies to get their houses in order to ensure they are GDPR compliant – and that includes the adequate training of employees.

About Eoin Campbell 21 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.