Marriott Mega-Breach: Will GDPR Apply?Legal Experts Suspect So, But Investigation Could Take a Year or More
Will Marriott be the first organization to feel the full force of the EU's General Protection Regulation potential penalties over a breach that appears to have exposed up to 500 million individuals' personal details?
See Also: Creating a Culture of Security
Since May 25, when GDPR went into full effect, privacy watchers have been wondering if any newly discovered breaches - British Airways, Cathay Pacific, Dixons Carphone - involving Europeans' personal data might lead to a breached business being the first to feel EU privacy regulators' full fury.
What's unclear, however, is how privacy regulators might impose sanctions for breaches that began before GDPR came into effect, but which persisted after May 25.
Legal and privacy experts, however, have told me that regulators have been clearly signaling that any breach that spans May 25 will fall under GDPR's purview.
In an era of mega-breaches, Marriott stands out as being more "mega" than many. But like so many breaches of any size, it appears to trace to a simple-sounding cause: unauthorized database access.
On Friday, Marriott first disclosed that it had discovered signs of an intrusion in its guest reservation network on Sept. 8, affecting numerous properties worldwide. On Nov. 19, it confirmed that attackers appeared to have encrypted and copied data for many of the victims that included including names, mailing addresses, phone numbers, email addresses, passport numbers, and, in some cases, encrypted payment card information.
Marriott says the breach appears to have begun with a 2014 network hack of Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016 for $13 billion (see Marriott's Mega-Breach: Many Concerns, But Few Answers).
Meanwhile, attackers' access may have persisted for four years, obtaining customer data pertaining to reservations at various properties until "on or before Sept. 10, 2018," Marriott says in its breach notification.
Bonus question: What do Aloft, Design Hotels, Element, Four Points by Sheraton, Le Méridien, Sheraton, St. Regis, The Luxury Collection, Tribute Portfolio, W Hotels and Westin have in common?
Marriott has said that hackers accessed its "Starwood guest reservation database," and those 11 types of properties are part of Marriott's Starwood brand.
Expect Marriott to try to spin this breach as being a historical incident that spiraled out of control.
"There is a paradox now where it is in a company's interests to emphasize the historic nature of a data security incident and state how long an incident has been running and how long systems have been exposed to seek to show that the GDPR should not apply," Ian Birdsey, a partner at Pinsent Masons who specializes in cyber risk, says in a blog post. "This reflects the size of the potential financial penalties that can be levied under the GDPR when compared to pre-GDPR legislation."
Taking the U.K. as an example, before GDPR came into effect, the Data Protection Act 1998 applied. When privacy regulators found that companies had violated the DPA - due to poor security practices, for example - they could impose fines of up to £500,000 ($640,000). Only two organizations - Equifax and Facebook - received the maximum penalty.
But organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) - whichever is greater - as well as other potential sanctions, including losing their ability to process personal data. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.
The U.K.'s privacy watchdog, the Information Commissioner's Office, says GDPR penalties - as enacted in the U.K. via the Data Protection Act 2018 - are not meant to be punitive. Organizations that try to do the right thing won't be punished simply for failing. Also, the 72-hour deadline for an organization to alert authorities in the case of some types of breaches isn't meant to serve as a "gotcha," but rather so that regulators can help (see: GDPR: UK Privacy Regulator Open to Self-Certification).
You Buy It, You Own It
Marriott wouldn't be the first organization to have been hacked due to systems it acquired and then failed to properly manage or secure. But it should not count on this to assist its data security defense.
Take TalkTalk, which was hacked in 2015 via SQL injection attacks against a database that was originally created by Italian telecommunications firm Tiscali.
An ICO investigation found that after TalkTalk acquired Tiscali's U.K. operations in 2009, it failed to properly catalog and manage the acquired infrastructure. Fast-forward to 2015, when hackers used an automated vulnerability scanning tool to exploit a SQL injection flaw in a MySQL open source SQL database management system. Again, it had been created by Tiscali, but was then owned by TalkTalk, which had failed to apply a 2012 patch to the database that would have eliminated the critical MySQL flaw exploited by attackers.
After a year-long investigation, the ICO slammed TalkTalk with a fine of £400,000 ($515,000), which was a record at the time (see: Two Friends Who Hacked TalkTalk Receive Prison Sentences).
Countdown to Late 2019
As privacy watchers wait to see whether EU data protection authorities apply GDPR to the Marriott breach, one thing is clear: We likely won't know one way or another for some time.
For starters, that's because Marriott is still investigating the breach. As such investigations progress, breached businesses may find that the intrusion is better or worse than they initially suspected (see: Data Breach Notifications: What's Optimal Timing?).
In the aftermath of really big breaches, organizations often appear before the U.S. Congress, U.K. Parliament, European Parliament or other legislative bodies to answer pointed questions, leading to further details coming to light.
So when it comes to seeing how Marriott's Starwood breach plays out on the regulatory front, stay tuned for 2019, or maybe even beyond.