Would Espionage at the Marriott mean the Maximum GDPR Fine?

Marriott Hotels recently announced that 500 million residents of its Starwood subsidiaries were affected by a data breach. 327 million of those residents were reported to having had ‘some combination’ of their arrival and departure information, passport numbers and account information accessible by an attacker from 2014 to 2018. Encrypted credit card details were also taken in the breach, with Marriott yet to confirm whether the keys for decryption were also taken.

Why is this breach so serious?

Persistent access to the database, particularly to “arrival and departure information”, would have allowed the attackers to view the travel schedules of millions of clientele as they stayed in luxury hotels across the world. With a number of commentators suggesting espionage as a potentially powerful motivation behind the attack, this breach has been talked about as a security issue as much as a privacy issue.

It seems today (December 7th) that those fears took one step closer to reality.

Reuters have reported that an investigative team that’s looking into the Marriott Breach found “hacking tools, techniques and procedures” that are associated with hacking groups working for Chinese intelligence.

Espionage and intelligence gathering is believed to be the motive behind the attack because the hackers were inside the database for so long, and only took copies of the names, addresses, passport details and in some cases, credit card information, in 2018.

This suggests that access to the system would have been of value for intelligence gathering purposes, although the report also suspects that multiple groups of cyber criminals may have had access to the database, making it difficult to attribute this breach solely to China.

How will this play out under the GDPR?

When European regulators assess the privacy impact of this breach the possibility of millions of European residents’ planned locations being surveilled over a 4 year period will be a difficult one to provide mitigation for, especially if security controls are proven to be substandard.

With government officials, industry lobbyists, and senior executives from around the world using the luxury Starwood hotel chain, the citizens affected by this breach are citizens who are much more likely to attract attempted acts of surveillance, extortion or blackmail, and this raises both individual and national security concerns.

For European regulators, there are two serious harms to reckon with:

  • Millions of individuals whose privacy and security were compromised over a 4 year period, and whose personal information has been taken by potentially multiple cyber criminal groups
  • Threats to national security if proven that the motivation behind the attack was for surveillance reasons by a nation state

With lawsuits filed we may see the first truly large GDPR fine for this breach. The maximum fine has been estimated at £117m (4% of global revenue) and if the regulators find evidence of negligent data practices, there are enough potential harms to enough citizens that could justify its levy.

For citizens affected this breach is difficult to reckon with and it might be time to ask whether we can place a price on a data breach that affects individual privacy and national security in this way.

For data privacy and information governance professionals this breach poses serious questions about our ability to govern and protect data of this detail at this scale. Is some data too big to protect or is it that we’re not taking the issue of protecting it seriously enough? If it’s the former then the priority for innovation has to shift from ‘let’s do big data’ to ‘let’s avoid too big data’. This would mean a recession in data practices. If it’s the latter then this is a wake up call for organisations to discover and protect the data they process. Citizens’ right to privacy and security must come first.

John Tsopanis
Data and Privacy Director, Exonar