Lack of security of customer data – high fine imposed on Marriott hotel chain in the UK

4 min.

On 30 October 2020, the United Kingdom’s Data Protection Authority (ICO) imposed a fine of 18.4 million pounds on the US hotel chain Marriott. The reason for this was a massive data leak. The company had failed to securely store the personal data of several hundred million customers.

The decision is interesting not only from a data protection perspective. Rather, the time schedule shows more than clearly that data protection aspects in the course of company transactions must be given special importance:

Already in 2014, a cyber attack on the reservation database of the Starwood Hotel Group occurred. This gave unknown perpetrators access to 339 million guest data. In addition to names, addresses and telephone numbers, unauthorised persons could also access sensitive data such as passport and credit card numbers. The perpetrators had installed a code known as a „web shell“ on a device in the Starwood network, which enabled them to access it remotely. Using this access, the unknown attackers installed malware (Remote Access Trojans) and thus gained far-reaching access to the entire network and especially to the reservation database.

In 2016, two years later, Marriott took over the Starwood Hotels. The security gap remained undiscovered until September 2018 – and thus even after the GDPR came into force.

During the due diligence carried out in the course of the takeover of the Starwood Group, Marriott examined the type of personal data to be acquired, but not the adequacy of the security measures. The Starwood reservation system was continued after the acquisition. Although the data leak had existed for two years at the time of the acquisition, it was not detected and thus integrated into Marriott’s IT systems.

The ICO’s investigation revealed in particular failures by Marriott to take adequate technical and organizational measures to protect the personal data of customers processed in the systems, as required by the GDPR. The ICO defined, among other things, four major failures which justify the fine:

  1. insufficient monitoring of administrator accounts,
  2. inadequate monitoring of databases, in particular the lack of a risk-based protection concept, the absence of security warnings and insufficient logging and protocol evaluation,
  3. lack of control of critical systems, in particular lack of whitelisting, and
  4. lack of encryption of sensitive personal data.

In its decision, the ICO emphasizes that the main reason for the breach of data protection is the lack of monitoring of the systems and underlines the importance of correct configuration, regular monitoring and control of the IT systems. The fine was lower than originally announced, partly because of the inclusion of the Covid-19 charges.

For the advisor in corporate transactions this means

  • The implementation of due diligence processes by the target company without examining the measures necessary to fulfil the requirements of the DSGVO is extremely risky:
    DD teams should therefore – If not already done so – be supplemented by experts in the field of data protection. In terms of content, the examination should in future not only cover the classic areas of contract law, company law, labour law and taxation (and possibly other areas as well), but must also cover the existence and design of the data protection management system of the target company.
    Otherwise, the advisors on the buyer’s side will face considerable liability risks.
  • It follows from the above that the usual catalogue of guarantees in sale and purchase agreements should definitely be supplemented by appropriate provisions regarding the target company’s compliance with data protection requirements.
    In our experience, such clauses are currently extremely difficult to negotiate because the seller side itself is hardly ever convinced that it is well positioned in this area.
  • Taking this into account, it may in appropriate cases be useful to carry out a so-called seller due diligence as part of the preparation of a sales process – possibly limited to data protection. Often there is still enough time in the preparatory phase to prepare any missing documentation, to clean up databases and to set up an at least rudimentary data protection management system. These measures contribute considerably to the saleability of the company.

Details of the cyber-attack and a detailed assessment of the regulatory authority can be found on 88 pages in the Marriott International Inc monetary penalty notice (there under 3. and from 6.12) here: https://ico.org.uk/action-weve-taken/enforcement/marriott-international-inc/

German version
Axel Keller
Rechtsanwalt in Rostock
Tel.: +49 381 12 88 49 0