What were the data protection breaches?

The MPN identifies a lack of multi factor authentication and 4 ‘principle failures’. The MPN contains a technical discussion of:  

1) insufficient monitoring of privileged accounts/logging 

2) insufficient monitoring of key databases

3) lack of server hardening/whitelisting/‘defence in depth’; and 

4) a lack of evidenced rationale for why it had not encrypted more. 

The MPN also notes a failure to have regard to NCSC guidance, lack of due diligence of Starwood systems. The MPN also notes deficiencies in the notifications Marriott gave to individuals - a reminder to plan and execute breach responses carefully.  

What to take away

There are a number of parallels between the technical security deficiencies the ICO found in the Marriot Hotels case and the British airways fine - see our post on this here. 

Both BA and Marriott contested that they did in fact have sufficient security in place to discharge their security responsibilities under data protection law, and over the potential effects of the breaches for individuals.  The lack of a clear standard creates uncertainty for data controllers. Large data controllers in particular (and those processing large amounts of sensitive information) should review the technical findings in both MPNs with their cybersecurity advisors because this demonstrates the standards the ICO expects, and any departure from the core guidance cited in the MPNs should be justified and documented.  The route to how the penalty was calculated, and how the ICO responded to (at times similar) submissions in both cases, is also of interest to data protection specialists.

ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure