Australian Information Commissioner and Marriott International enter into enforceable undertaking on 4 February 2023
March 10, 2023 |
The Marriot Hotel entered into an enforceable undertaking with the Australian Privacy Commissioner for a data breach arising out of breaches between 2015 – 2018. I have posted on those breaches and the regulatory action taken by the UK Information Commissioner here, here, here and here. Worldwide the breaches affected the personal information of 339 million individuals. In Australia the records of 2.2 million were compromised. The Marriot Breach highlighted poor data security practices, with the breach occurring over a 3 year period, and the challenges of legacy IT issues. All too often IT systems are cobbled together and not properly maintained.
The enforceable undertaking is operable for 5 years. Compared to agreements in the United States between the Federal Trade Commission and organisations for similar transgressions, that is a short time frame. It is not uncommon for the FTC to enter into 20 year agreements. This enforceable undertaking is more robust than the previous few enforceable undertakings the Commissioner has entered into however it is not as stringent as those imposed in the United States. In the United States such agreements usually incorporate a very significant fine. Given the legislation in Australia that was not possible.
Some of the relevant matters of note from the enforceable undertaking are:
- An unknown actor accessed the Starwood IT systems and Starwood guest reservation database on four or a maximum of five occasions between 2015 and 2018, including potentially up to 2.2 million records allocated to Australian guests [6].
- Of the 2.2 million records there were:
- 685,326 Australian passport numbers (of which 453,038 were encrypted);
- the encrypted hash value of 254,345 payment card numbers attributed to individuals resident in Australia, and fewer than 80 potential payment card numbers attributed to individuals resident in Australia that were present in database fields that were not designed for the input of payment card information (and were, as a result, not encrypted); and
- 252,000 guest records associated with an Australian based hotel [7].
- in September 2016, Starwood was acquired by Marriott International, Inc. At the time of the acquisition, Marriott was not aware of the unauthorised access to the Starwood systems. Following the acquisition, Marriott maintained the Starwood systems separately from Marriott’s own systems with a view to implementing a phased decommissioning of the Starwood systems [8].
- in September 2018, a monitoring tool deployed in respect of the Starwood guest reservation database alerted an indicator of potential unusual activity with respect to the Starwood guest reservation database [9].
- Marriott successfully contained and remediated the Starwood Security Incident by implementing additional protective and monitoring measures across the Starwood systems, including in respect of the Starwood guest reservation database [10].
- the immediate containment measures iincluded deployment of an endpoint threat detection and response tool, password resets, firewall rule blocks, malware removal, additional access controls, and system rebuilds. [11] .
- on 19 November 2018, the forensic investigation provided indicators records containing personal information in the Starwood guest reservation database related to Starwood guests had been accessed through installation of malware including, specifically, a web shell on an external facing web server and installation of a Remote Access Trojan [12].
- The records affected included:
- Guest-related data (including numerical identifiers to identify the guest, guest name, gender, date of birth, whether the guest had been identified as a VIP (including a separate VIP code), whether the guest was a member of the Starwood loyalty programme and their account information, mailing address, passport country code and name, passport number, phone number, fax number, email address, encrypted and unencrypted payment card numbers and expiration date. As noted above, virtually all payment card numbers and the substantial majority of passport numbers were encrypted.
- Guest stay-related data (including a central reservation confirmation number, a unique numerical room identifier, room type, the total number of guests in the room (including the number of adult and child guests)), number of cribs used in the room, number of rollaway beds designed for adults and number of rollaway beds designed for children, arrival date and time, departure date, whether the guest has checked in, and flight number and airline code.
- Marriott’s response was :
- to shut down the Starwood systems.
- enhancing the security and monitoring measures protecting Marriott’s separate systems and its security environment, by:
- Modernising identity access management. Implementing identity access management tools to provide better protection of privileged accounts, restrict access to those individuals approved for a specific business need, and increase visibility and control over devices that join the Marriott network through discovery technology and network access control.
- Broadening deployment of multi-factor authentication. including those used to access web-based and extranet applications, Office365, critical servers, network resources, Linux systems, and cloud environments.
- Enhancing network segmentation. Continuing to work on isolating data based on sensitivity and risk, including by further enhancing Marriott’s network segmentation.
- Endpoint detection. roll-out of advanced endpoint threat detection tools to over 200,000 devices, thereby expanding the ability to identify and address vulnerabilities in its computing environment and applications before the vulnerabilities can be exploited.
- Information security applications & systems assessments. Performing information security and vulnerability assessments on its reservation systems and other high-value targets, applications, cloud environments, as well as other high-risk environments to enhance the resiliency of those targets.
- Personal data security enhancements. by using data access standards, additional database controls and improved data management with a goal of minimising the data that Marriott collects and retains.
- Vulnerability management. Investing in tools to identify vulnerabilities and continuing to prioritise vulnerability remediation including secure code development practices and software code vulnerability scanning tools to identify vulnerabilities.
- Improved cyber security incident response capabilities. Investing in additional staff, executive tabletop exercises, and insider threat tools to monitor and analyse user and entity behaviour for malicious activity. Marriott also implemented an updated incident case management tool to scale its incident response and allow for effective coordination across the company.
- Security governance and enhancing compliance tools. Improving information security governance to promote cyber risk awareness and embed security in all new business discipline initiatives. Increasing visibility and control over devices that join Marriott’s network through discovery technology and Network Access Control (NAC), and extending the capacity needs of intrusion protection and detection (IPS) to meet the internet traffic needs of business at the data centres.
- Other operational improvements. Investing in additional staff for security project management, security architecture and other overall support, and additional secure coding training for developers [16]
The Commissioner’s Investigation
On 6 January 2020, the Commissioner notified Marriott that she had initiated an investigation into Marriott in relation to the Starwood Security Incident [17]. Commissioner held concerns that in respect of its obligations under APP 11.1 of the Privacy Act, Marriott did not take reasonable steps in the circumstances to protect the personal information. Those concerns included[17] & [18]:
-
- insufficient monitoring of access and use of its databases and network; and
- inadequate authentication protection to secure the personal information held.
Term of undertaking
The undertaking lasts for five (5) years from the Commencement Date [19] & [20].
Marriott undertakes to:
-
- continue to implement or otherwise maintain the security measures described above and in Marriott’s responses to the Commissioner’s Investigation or alternative measures as appropriate based on evolving technology, accepted practices, and/or the regulatory requirements and obligations Marriott is subject to either now or in the future (provided that, for the avoidance of doubt, Marriott is only responsible to the Commissioner for compliance with Australian law).
- Take all reasonably necessary steps to ensure that any changes made to Marriott’s information security framework and processes in Australia after the Commencement Date do not materially degrade or materially reduce the overall level of protection afforded to individuals’ personal information in compliance with Australian law.
- Continue, through an appropriate governance process to monitor and oversee the effectiveness of the privacy and security risk management strategy set by Marriott’s privacy and information security leadership and policies (including in relation to Marriott’s information security, data collection, encryption, retention processes as applicable in Australia).
Marriott undertakes to:
-
- continue to engage an independent third party (or parties) to assess, during 2023 and 2025, Marriott’s information security controls.
- continue to engage an independent third party (or parties) to audit, at least annually, Marriott’s security compliance with the PCI DSS for its reservations system for 5 years.
- take appropriate actions to remediate any material security control weaknesses or gaps identified by the assessments.
- if necessary, evaluate and update policies in light of any weaknesses or gaps identified [22].
Marriott undertakes to
-
- continue to monitor the effectiveness of Marriott’s Global Information Security & Privacy Incident Response Plan on no less than an annual basis.
- if necessary, evaluate and revise the Incident Response Plan in light of such testing and review [23].
Marriott undertakes to:
-
- continue to respond to all queries or complaints raised by individuals (whether raised directly with Marriott or through the Commissioner) in relation to the Starwood Security Incident.
- continue to monitor, through the engagement of leading security firms for evidence of public disclosure or unauthorised use of personal information of individuals covered by the Privacy Act as a result of the Starwood Security Incident for a further 12 calendar months and to promptly notify the Commissioner and any affected individuals if Marriott discovers evidence that confirms unauthorised public disclosure or use [24].
Marriott undertakes to make available to the Commissioner a copy of each of the third party’s written reports within thirty (30) days of its completion [24].
Marriott undertakes to provide a written declaration to the Commissioner on or around the first four anniversaries of the Commencement Date that:
-
- Marriott is in compliance with its Core Undertakings; or
- specify any action that Marriott should take to ensure that it complies with the Core Undertakings (Implementation Actions); and (if applicable)
- set out a plan, including time frames, for Marriott to take the Implementation Actions (Implementation Plan), which will be completed within 12 months following each such declaration, or within such other time frames agreed between Marriott and the Commissione [26]r .
Marriott undertakes to compete the Implementation Actions in accordance with the Implementation Plan/ any reasonable alternative or course of action that Marriott proposes to take in respect of such identified actions within 12 months of the date of each such declaration, or within such other time frames agreed between Marriott and the Commissioner [27].
Marriott will provide or make available to the Commissioner all relevant documents and information requested by the Commissioner from time to time (save for any documents the subject of a claim for legal professional privilege) for the purpose of assessing Marriott’s compliance with the terms of the Enforceable Undertaking [28].
Marriott nominated Marriott International, Inc.’s Chief Information Security Officer, as the person responsible for overseeing compliance with the requirements of this Enforceable Undertaking and reporting to the OAIC. Marriott has provided the OAIC with this person’s contact details as at the date of this Enforceable Undertaking and will notify the OAIC within a reasonable period if there are any changes to the identity of this person and/or their contact details [33].