"How May I Compromise Your Stay?" - Marriott Data Breach Lessons
Oct 30, 2020
Today we learned of the Information Commissioner's Office (ICO - the data protection regulator in the UK) decision to fine Marriott Hotels for a breach of data protection regulations.
The fine in the UK is £18.4 million. Which is a serious amount of money.
A group legal action, currently waiting in the wings, is likely to heap further financial penalties on the hotel group. Now the ICO has completed its investigation and imposed a fine, all a lawyer needs to do is point at the ICO paper work and repeat what it says.
You can read about it in this article on the BBC website.
The Lessons For Hoteliers
- If you are buying a hotel, it will include the personal data belonging to previous and prospective hotel guests. Make sure the vendor has been paying enough attention to the task of looking after that personal data.
- The devil is in the machines. Hotels use a great many 3rd party data processors. Many of them collect personal data and keep it for longer than they should. This is often because the data controller (this could be you?) doesn't know enough about how to keep these 3rd party processors honest. In some cases in our experience, this comes across as the hotelier not caring. I have had hoteliers look at me and shrug their shoulders when this topic was raised. If you don't know, pay someone to find out on your behalf. Few of us can shrug our shoulders at £18.4 million leaving our business.
- Trust was misplaced. Customers trusted this company, their systems and procedures. Yet they were fundamentally compromised. Nobody senior enough was paying enough attention. Personal data is a critical business asset. How valuable the personal data is depends on the trust associated with it.
- A significant problem with the Marriott data breach is it was just too big. Some hoteliers running their own hotels simply couldn't equate it with their own business. It was almost irrelevant. However it boils down to making sure your technology is as secure as you can make it, that it is monitored and enough attention is paid to keeping it up to date and making sure those responsible for it are adequately trained.
- There, but for the grace of God, go the rest of us. All for the want of a bit more attention applied in the right places.
Above all, caveat emptor: Don't buy somebody else's personal data disaster.
The purpose of this blog post isn't to gloat. Those of us involved in data protection watched dismayed as the story of the breach unfolded, glad that it wasn't us. We know what it's like to deal with a breach. The scale of this one really was difficult to imagine.
My point is that mistakes and errors happen. They are part of the data protection environment in which we all work. Yet we can minimise the opportunity for error by applying ourselves properly at the start of a project and by behaving responsibly throughout our processing. Marriott certainly didn't set out to have this breach happen but with the best will in the world they created the conditions where it could.
And as hoteliers, we all need to learn from that.