GDPR Compliance Post-Mortems: Lessons Learned from Facebook, Uber, and Others – Part 1

Since the EU General Data Protection Regulation (GDPR) went into force in May of 2018, several organizations have received substantial fines from regulatory authorities. This article discusses the lessons learned from one of those fines and the role of a data protection program in preventing future ones.

On July 9, 2019, the UK Information Commissioner’s Office (“ICO”) announced its intention to fine global hotel chain Marriott International about £99.2M. This proposed fine stems from a breach of its guest reservation system that Marriott revealed on November 30, 2018. More specifically, the guest reservation system in question belonged to Starwood hotels, with which Marriott had merged in 2016, and had been breached (apparently) in 2014. Of the approximately 500 million people whose personal data was compromised, about 30 million were EU data subjects. On July 24, 2019, a lawsuit against Marriott was filed in U.S. District Court in Maryland. The 373-page lawsuit consolidates roughly 80 lawsuits filed in the U.S. shortly after Marriott announced the breach. This breach is likely the largest in history. I’ve written previously on the necessity of conducting due diligence for data privacy and information security (“data protection”) during mergers and acquisitions. A comprehensive data protection program (and a dose of healthy skepticism) at Marriott would have almost certainly prevented their inheriting Starwood’s breach.

Multiple Security and Privacy Failures at Starwood and Marriott

According to one lawsuit, a string of security and privacy failures occurred at Starwood and Marriott before the merger was concluded on September 23, 2016.  Included among them:

  • A 2015 breach of Starwood’s point-of-sales (POS) system was incorrectly determined not to have impacted the reservation database;
  • A security researcher found a SQL injection bug on a Starwood website, which was likely used to gain access to Starwood databases;
  • Marriott’s own Computer Incident Response Team was compromised, and attackers gained access to their internal email accounts;
  • A security researcher discovered that six starwoodhotels.com domains were controlled by a Russian botnet; and
  • Starwood’s ServiceNow cloud portals had an easily guessable password, which could allow hackers to access business financial records, security controls, and booking information.

The 2015 breach of Starwood’s POS and subsequent compromise of its reservation database by criminals become the root for the compromise of the personal information of some 500 million people.

Lessons Learned From the Marriott/Starwood Breach

The breach offers us some valuable lessons to incorporate into data protection practices:

  1. Be Skeptical and Employ Third-Party Due Diligence.  Companies should treat merger or acquisition targets with skepticism when it comes to data protection; the target has little incentive to disclose poor practices.  In this case, there was roughly a 10-month period between the signing of the merger agreement and its close.  Marriott’s president stated during Congressional hearings that there was not much that could be done during that period (in terms of scrutinizing Starwood), given that the two companies were competitors.  However, Marriott could have employed a third-party organization to conduct a more thorough level of review.
  2. Use the “Without Undue Delay” or 72-hour standard for breach notification.  Marriott’s investigation began on September 8, 2018 but the company didn’t notify authorities or the public until November 30.  The GDPR’s standard for notification is “without undue delay and, where feasible, not later than 72 hours after having become aware of it[.]”  Marriott was almost certainly already subject to this since they have properties in the EU.  Many, if not most, U.S. data protection laws and regulations use the “without undue delay” or equivalent standard.
  3. Have A Clear Idea of What Personal Information Is in Your Possession.  While Marriott was able to identify the personal information implicated for many of the victims, according to one allegation, “Marriott has not expanded upon or provided more details, leaving [other] consumers without full knowledge of the extent of the breach of their information[.]”  I’ve described the value of a data inventory in other posts; a chief benefit is being able to rapidly determine what personal information is implicated in a breach.
  4. Privacy “Policies” Create Significant Exposure.  Both Starwood and Marriott cited privacy “policies” (really, public privacy notices) that cited use of “appropriate administrative, procedural and technical safeguards” (Starwood) and “reasonable physical, electronic, and administrative safeguards” (Marriott).  Starwood’s breach went unnoticed for 4 years and Marriott didn’t detect it during the due diligence process.  This disparity creates significant exposure for an organization, and will no doubt be highlighted if the class action litigation goes to trial.

How a Data Protection Program Would Have Prevented This Breach

I’ve described in other posts the virtues of a data protection program, which consists of:

  1. Rules that govern how sensitive data is used;
  2. A data protection steering committee;
  3. A data classification matrix;
  4. Policies, procedures, plans, and standards; and
  5. Commitment from the organization’s leadership.

I neglected to mention that this program should be run by a single person who is accountable to the organization’s leadership.  For a consumer-facing organization, that person should not be the CISO, who already has a full-time job just protecting it from a multitude of constant threats.  The job of a data protection program leader is to be skeptical of anything new with respect to personal data: new personal data, new processing of personal data, and/or new sharing of that data.  In the case of Marriott, that skepticism would have manifested by treating new data from the proposed merger as compromised and not useable until proven otherwise. 

It would have been backed up a policy that mandated a complete data inventory, verified by data discovery or similar means, and accompanied by procedures, plans, and standards.  The data would have been classified according to which laws it was subject (e.g., GDPR, CCPA, U.S. state law) and what controls were said to be in place to protect that data.  A report of the foregoing would have been shared with the CISO pending his/her examination of the acquisition target for compromise.  Most importantly, the data protection leader would have had the support of the organization’s management. 

This is true even (and especially) in the case where that leader later determines that the sensitive data of the target is compromised.  It’s difficult to acknowledge when a multi-billion-dollar acquisition experiences a failure of this magnitude.  However, it’s better to acknowledge it as early as possible and mitigate the damage then wait and deal with the consequences later.  And as Facebook, Equifax, and others have demonstrated, “later” always comes.

In this article I described the breach that took place with Marriott International’s guest reservation databases.  In part 2, I will discuss GDPR-related failures at British Airways.

Since the EU General Data Protection Regulation (GDPR) went into force in May of 2018, several organizations have received substantial fines from regulatory authorities.  This article discusses the lessons learned from one of those fines and the role of a data protection program in preventing future ones. 

See how Spirion can help you…