UK: Security standards following the Marriott fine – Great expectations?

The UK Information Commissioner’s Office recently issued its much-anticipated Monetary Penalty Notice against Marriott Hotels, deciding to fine it £18.4 million (€20.5 million). This is a significant reduction to the £99 million (€110 million) figure it originally proposed, but is much larger than any of the fines issued under the old Data Protection Act 1998.

The penalty notice not only provides guidance on future fines, but also highlights great expectations from the ICO about the security measures necessary to defend against cyberattacks.

Failure to (quickly) spot an intrusion

The fine relates to an intrusion into Starwood Hotels’ IT systems back in 2014.  The attackers were still inside those systems when Marriott acquired the Starwood chain in 2016. Despite security reviews both before and after the takeover, Marriott did not detect their presence.

However, when the attackers tried to extract payment card information on 7 September 2018, they triggered Marriott’s intrusion detection software. Marriott shut down the attack, investigated the breach and notified the ICO on 22 November 2018.

The fine was issued under the GDPR and so could only address conduct after 25 May 2018. This means the sanction was not because of the original intrusion back in 2014, as that predates the GDPR. Nor was it because Marriott failed to spot the intrusion, as it was picked up by its intrusion detection system.

Instead, the fine was for not spotting the intrusion more quickly during the four months between the GDPR starting to apply and the alarm being triggered in September 2018.

Four specific failings

The GDPR does not impose strict liability for personal data breaches. Instead controllers and processors must take appropriate technical and organisational security measures to ensure the security of personal data.

The penalty notice identifies four specific failings to meet this standard:

  1. There was insufficient monitoring of privileged accounts. Some controls were in place, but greater logging might have helped Marriott detect unusual behaviour by the attackers.
  2. There was insufficient monitoring of the customer databases. While Marriott had three logging and intrusion detection systems, one of which alerted Marriott to the intrusion, the ICO considered that the alert triggers should have been broader and so detected the attackers earlier.
  3. Marriott didn't properly control the software running on its servers and should have used “binary software whitelisting”. While the ICO appears to accept this was rarely implemented at the time and might not have been effective, it considered that the failure to use binary software whitelisting was a breach.  
  4. For performance reasons Marriott had encrypted card data on its database but not other personal data, such as passport details. Marriott could not provide a risk assessment to support this decision.
Evolution of security expectations

This enforcement marks a break from past practice by the ICO, which mostly involved sanctioning progressive waves of obvious and avoidable security breaches.

For example, 10 years ago most enforcement was the result of storing large amounts of personal data on unencrypted laptops and USB sticks. When businesses finally encrypted their laptops (and employees stopped sticking Post-It notes with their passwords on those devices), enforcement action moved to teenagers using off-the shelf-techniques such as SQL injections. More recently, the enforcement focus has been on failures to implement multi-factor authentication (MFA).

In contrast, this was not an obvious security blunder by Marriott, nor a failure to implement security measures at all. Rather this was a case in which the ICO took a different view about some of the more nuanced judgements concerning the implementation and configuration of Marriott’s security systems.

Three lessons to avoid fines 

What does the breach and fine say about the steps you should take in relation to your own systems?

First, you need a multi-layered defence. It is not enough to just focus on stopping attackers from getting into your systems. You should also assume that your systems will be penetrated and plan accordingly. This means not storing sensitive information (such as payment card data) unless absolutely necessary, encrypting that data to prevent exfiltration, monitoring your internal environment for unusual behaviour and using intrusion detection systems to set traps for attackers.

Second, the ICO has fleshed out the broad and flexible obligations to use appropriate technical and organisational measures with heavy and strict references to guidance, particularly from the UK National Cyber Security Centre (NCSC). For example, her decision that Marriott should have implemented binary software whitelisting is largely based on the NCSC cyber security guidance and the penalty notice refers to no less than nine different pieces of IT security guidance, including guidance from NIST and Microsoft. Compliance with NCSC guidance should now be seen as mandatory.

Third, there may be a significant benefit in having a third-party audit and certifying your information security measures. Perhaps the most obvious and damaging security failure by Marriott was its failure to implement MFA for access to its cardholder data environment. However, Marriott had instigated two information security reviews, before and after the acquisition, which (erroneously) concluded that MFA was in place. The ICO accepted that Marriott was entitled to rely on those reports, and so the failure to implement MFA was not part of her breach assessment.

The clichéd response to many data breaches is that they are the result of a “sophisticated and co-ordinated” attack. While the attack on Marriott may actually fall into this category, that did not save it from a significant fine.

By Peter Church

This article was first published in Global Data Review, available here.