Final GDPR penalty for Marriott comes in at £18.4M
The UK Information Commissioner announced the final penalty for Marriott International this week. The £18.4 million ($23.8 million) penalty is down from the previously announced £99 million. Marriott has announced that they do not plan to appeal and “deeply regret” the incident.
The 2018 incident involved a breach of data from the Starwood Preferred Guest loyalty programme [vol. 1, iss. 24]. There are lots of big numbers associated with the incident: 339 million personal records, with an estimated 30 million of those being European residents that would be covered by the ICO’s investigation.
Coverage has followed, such as The Register’s, using these figures to do maths that arrive at ‘5p per record’ claim. The fine represents 2.8% of the maximum that the regulator could impose.
Also, while the attackers were inside Starwood’s network for four years, the period under GDPR amounted to approximately three months. The ICO say that should have been plenty of time for Marriott, and Accenture their managed service provider, to detect the malicious use of privileged accounts, though.
In 2019 the company, which has 1.4 million hotel rooms, operated at almost 72% occupancy and earning $116.91 per available room, for a 6% profit margin. The fine is comparable to wiping a week’s profit from the chain’s 2019 operations: something that would catch the eye of the board.
2020 is a very different year for hotel operators though. Q2 results for the company show that occupancy has plummeted to 17.5% with earnings per available room of just $17.50. Marriott International made a Q2 2020 loss of $232 million. The fine extends the operating loss for the company by over 10%.
The attackers were inside the Starwood network for a long time before discovery, and throughout the entirety of the due diligence process carried out by Marriott. I think this is one of the most interesting lenses to view this incident.
The fees for the merger were estimated to be $140M. Against these the fine, as a result for poor cyber due-diligence, represents a premium of 17% on the transaction.
As part of the acquisition, all data and services have been migrated to a new loyalty programme (Marriott Bonvoy) and the legacy Starwood networks have been decommissioned. Marriott’s IT security spend has also doubled, from pre-breach discovery levels of $49.5M to $108.5M in 2020.
Had the breach come to light during due diligence then Marriott would almost certainly have been able to discount the pricing, and maybe even avoided the competition that saw their bid increase by 16% from $3BN to $3.6BN.
It’s a costly oversight and lesson learned for Marriott and one that any company engaging in mergers and acquisitions can learn from.
bbc.co.uk, theregister.com, ico.org.uk,
PS: If you’re involved in M&A activity then Cydea can help you to understand and quantify the cyber risk that a target represents and are experienced in carring out due diligence reviews. You can get in touch via cydea.com.
$100 million allegedly made by REvil ransomware gang in the last year bleepingcomputer.com
212% increase in business email compromise / invoice fraud attempts at group inboxes in the last quarter, according to Abnormal Security scmagazine.com
Other newsy bits
US Clean Network Program is generating a market for Huawei’s 5G competitors
The Slovak Republic, Bulgaria, Kosovo, and North Macedonia have joined 17 other European countries, including the UK and France, to use ‘trusted’ 5G providers in their network. It’s a move that essentially minimises or eliminates the role for Huawei within 5G networks on the continent. Huawei’s aggressive pricing and commercial terms have proved attractive to many network operators. The US appear to have understood that national security concerns alone do not trump the economic arguments of using the Chinese companies gear in their 5G networks. Under their ‘Clean Network Program,’ the US tactics are generating a market that is more economically beneficial for Huawei’s competitors that will, hopefully, reduce their relative cost of sale and make the equipment cheaper to purchase. zdnet.com
Health has a new ransom threat
Cybercriminals in Finland that compromised a psychotherapy practice have adopted a novel tactic to monetising their breach: ransoming the individual patients to not release their records. Vastaamo, which operates 25 therapy centres helps tens-of-thousands of patients with their mental health. It’s a disturbing development evolving data breach tactics and, presumably, the attackers figure that the victims have more to lose, and will be more willing to stump up a great combined sum, than the firm individually. Patients have received emails demanding €200 to prevent the disclosure of their data, while €540,000 is also being demanded from the company itself. theguardian.com, cyberscoop.com
Redaction is really hard if you include an index of terms
A heavily redacted version of Ghislaine Maxwell’s 2016 deposition was recently released, covering questions into the sexual abuse scandal surrounding Jeffrey Epstein. Slate has reverse-engineered a lot of the redacted terms, in part because of the index in the document. Terms are redacted there, but listed in alphabetical order, and linking to pages where they may not have been redacted. It’s better than just setting the font and background colour’s to black, but not by much, to protect the confidentiality of the information. slate.com
ENISA Threat Landscape report
Eighth edition of ENISA’s threat landscape analysis includes detailed threat reports for the top 15 threats that ENISA has observed in the last year. europa.eu
Attacks, incidents & breaches
- Wisconsin Republican Party duped out of $2.3M by fake invoices in business email compromise scam theregister.com
- Donald Trump’s campaign website defaced for crypto-currency scam arstechnica.com, cyberscoop.com
- Maze ransomware group shutting down operations, affiliates moving to Egregor malware bleepingcomputer.com
- KashmirBlack botnet behind many attacks on content management systems like Wordpress, Joomla and Drupal zdnet.com
- US CISA warns of Kimsuky threat actor alert from North Korea with intelligence gathering mission cisa.gov
- “If you haven’t patched WebLogic server console flaws in the last eight days ‘assume it has been compromised’” theregister.com
- Windows vulnerability, CVE-2020-117087, being actively exploited, unlikely to be patched within two weeks arstechnica.com
- Chrome soon to get its own root certificate store, away from that of the operating system zdnet.com
- Office 365 now supports ‘plus addressing’ feature for disposable/tracable email address, like [email protected]. bleepingcomputer.com
- Experian told to adjust ‘invisible’ data processing practices by ICO, will take regulator to court to appeal theregister.com
- At the end of November the US DOD’s Assessment Methodology, NIST SP 800-171, will come into force. Defence contractors will be required to self-assess. A second framework, the Cybersecurity Maturity Model Certification (CMMC), will be rolled out over the next five years wiley.law
Mergers, acquisitions and investments
- Kandji raises $21M series A funding round for Apple device management solution techcrunch.com
THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD
Props to techies having a bit of fun this week: To the registrar of a company name that included special HTML characters that, if not properly escaped, would execute a cross-site scripting attack. And to the admin at Companies House that, after finding their systems were OK, but that other consumers of their API were at risk, has renamed the visible name of the company to “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD.” @jonty tweets, theregister.com