GDPR

Twitter Fined $547,000 Under GDPR for 2018 Data Breach

Breach Notification , General Data Protection Regulation (GDPR) , Security Operations

Penalty Marks First Time Any US Tech Firm Penalized Under EU’s Privacy Regulation

Twitter Fined $547,000 Under GDPR for 2018 Data Breach

For the first time, a U.S. technology firm has been fined under the EU’s General Data Protection Regulation. Ireland’s Data Protection Commission on Tuesday hit social media giant Twitter with a 450,000 euros ($547,000) fine for failing to report and document a data breach within 72 hours, as required under GDPR.

See Also: The Road to Compliance: Steps for Securing Data to Comply with the GDPR

In 2018, a bug in Twitter’s design specific to Android devices inappropriately exposed protected messages from 88,000 users, the commission says.

The commission says that Twitter reported that data exposure in January 2019 – it was discovered on Dec. 26, 2018 – at which time the regulatory agency began its investigation into the incident.

The DPC took the lead in the investigation because Twitter’s European operation is headquartered in Ireland.

“The DPC has imposed an administrative fine of 450,000 euros on Twitter as an effective, proportionate and dissuasive measure,” writes Helen Dixon, Ireland’s commissioner for data protection.

Although the case marks the first time a U.S. technology firm has been fined under GDPR, other American firms have been fined, albeit as a result of investigations run by other countries in Europe. Sanctioned organizations include Marriott Hotels, which recently was fined $23.8 million by the U.K.’s privacy watchdog, and Ticketmaster, which was fined $1.7 million, also by the U.K. Both of those fines were determined in consultation with privacy authorities in EU member states.

Twitter Blames Personnel Shortage

Twitter blamed the reporting delay on staffing issues in December 2018.

Due to the bug in the Twitter app for Android, if a user changed the email address associated with their Twitter account, any protected tweets became unprotected tweets and therefore accessible to the public – and not just a user’s followers – without the user’s knowledge, the DPC’s report states.

Debate Over Low Level of Fine

The maximum penalty for violating GPDR is 20 million euros ($23 million) or 4% of an organization’s annual global revenue – whichever is higher.

A deciding factor in setting the fine in this case was that Twitter International Co., which manages Twitter for the EU, was directly responsible for the breach, and not the much larger San Francisco-based Twitter Inc., Dixon says.

“When applied here in the context of the GDPR though, it is clear that TIC, as the sole independent controller of personal data of EEA data subjects, enjoys independence in respect of decisions about the purposes and means of processing,” she says.

The DPC had originally intended to fine TIC $164,000 to $334,000. But some other EU member states objected, demanding a larger fine, and for the first time ever, initiated a dispute resolution process, as enshrined in GDPR. This sees the case get referred to the independent European Data Protection Board, which has a remit to ensure that GDPR gets consistently applied.

The board concluded that Twitter’s Ireland-based operation and its parent company, TIC, operate in a co-dependent fashion, so the parent company’s revenue should be taken into consideration when setting the fine.

In response, the DPC increased the amount to $547,000.

Johnny Ryan, a senior fellow with the Irish Council for Civil Liberties, says multiple board members “took issue” with the penalty.

For example, Ryan said that German regulators were pushing for a fine of $7 million to $22 million.

Twitter Fined in Irish GDPR Action

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2020-28458
PUBLISHED: 2020-12-16

All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

CVE-2020-5683
PUBLISHED: 2020-12-16

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote…

CVE-2020-35476
PUBLISHED: 2020-12-16

A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command…

CVE-2020-5682
PUBLISHED: 2020-12-16

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series), and GROWI v3 series and earlier allows remote attacke…

CVE-2020-26273
PUBLISHED: 2020-12-16

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite’s ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary …

Bad Cookies: Privacy Regulator Fines Supermarket Giant

General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

$3.7 Million Fine for French Supermarket Giant Carrefour for Alleged GDPR Violations

Bad Cookies: Privacy Regulator Fines Supermarket Giant

Warning to organizations that store or process Europeans’ personal information: Make privacy policies easy to understand, never place advertising cookies without consent and only retain customer data for a reasonable period of time.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

Failure to meet those standards resulted in French retail giant Carrefour Group, based near Paris, being hit with a 3.1 million euros ($3.7 million) privacy fine by the country’s data security and privacy regulator.

Last week, France’s privacy regulator, the Commission Nationale de l’Informatique et des Libertés, or CNIL, announced that, after conducting an investigation from May to July 2019, it has issued sanctions against two Carrefour Group companies:

  • Carrefour France: 2.25 million euros fine
  • Carrefour Banque: 800,000 euros fine

CNIL alleges that Carrefour Group violated statutes under the EU’s General Data Protection Regulation as well as French law. But the regulator said that Carrefour had made significant efforts to fix the shortcomings it identified, meaning the regulator hadn’t needed to take the company to court to force it to make changes.

Carrefour grocery stores are well known throughout France, where Carrefour was the first group to open a hypermarket – a large grocery store, often located outside town or city boundaries – near Paris in 1963. Today, Carrefour counts more than 1,200 hypermarkets worldwide and more than 3,400 stores in total.

Details of Alleged Violations

In a French-language press release, CNIL accuses Carrefour of violating the following EU and French statutes:

  • Right to be informed: Under GDPR Article 13, “individuals have the right to be informed about the collection and use of their personal data,” per Britain’s Information Commissioner’s Office. “This is a key transparency requirement under the GDPR.” But CNIL says information provided to users of the carrefour.fr and carrefour-banque.fr websites who wished to join the company’s loyalty program or get a Carrefour credit card was not easily accessible, was too complicated and failed to specify for how long data would be retained.
  • Breaches relating to cookies: Per Article 82 of the French Data Protection Act, “any subscriber or user of an electronic communications service must be informed in a clear and comprehensive manner, unless they have been informed in advance,” about how collected data will be used, as well as how they might seek to oppose that use. Unless an organization receives consent, it has no right to process the individual’s personal information. But CNIL says Carrefour was automatically pushing cookies onto the systems of visitors to the carrefour.fr and carrefour-banque.fr websites before attempting to obtain consent, despite some of the cookies being used for advertising.
  • Breach of data retention requirements: CNIL says that, in violation of GDPR Article 5.1.e, Carrefour France failed to respect a four-year data retention period it had set, leading to the company inappropriately retaining data for more than 28 million customers who had been inactive for five to 10 years, as well as for more than 750,000 users of the carrefour.fr website. The regulator also said that it considered “a retention period of four years for customer data after their last purchase to be excessive.”
  • Failure to respect rights: Under GDPR and also French law, companies must field requests from people who wish to have their personal data removed. But CNIL says Carrefour France failed to respond to multiple requests and, in some cases, failed to erase information when it should have done so. “The company did not take into account several requests from people who objected to receiving advertising by SMS or email, in particular due to occasional technical errors,” CNIL says.
  • Breach of data subjects’ rights: CNIL says that, in violation of GDPR Article 12, Carrefour France was requiring customers to prove their identity before being allowed to exercise their various rights under GDPR. “This systematic request was not justified since there was no doubt about the identity of the people exercising their rights,” CNIL says. “In addition, the company was not able to process several requests for the exercise of rights within the time limits required by the GDPR.”
  • Breach of the obligation to process data fairly: Per Article 5 of GDPR, organizations must be transparent about how they handle data. CNIL says Carrefour Banque customers who signed up for a “pass card” – a credit card tied to their Carrefour loyalty program account – were told that the bank would only transfer their first name and email address to the program. But investigators found that “other data was transmitted, such as the postal address, the telephone number and the number of its children.”

CNIL says Carrefour has taken numerous steps to address the above problems, including rapidly hiring new employees to respond to all data access requests, revamping the data-sharing notices it provides to consumers, halting the placing of cookies on systems before getting consent and overhauling its online loyalty card subscription process.

Basis for the Final Fine

CNIL notes that, had it simply fined Carrefour France, it would have had to base penalties on that relatively small unit’s 2019 revenue.

But Carrefour France is part of a wider group of companies, which led the CNIL committee overseeing the final decision to look at the entity more broadly. Investigators found that “Carrefour Hypermarchés and Carrefour Proximité France companies are benefiting from the data sharing program,” owing to Carrefour France’s marketing department having processed the shared data of customers of those companies, including their “last name, first name, physical and electronic address, telephone number and purchase history, in order to send them personalized advertising for the products sold.”

As a result, the CNIL committee opted to use as the basis for its fine the revenue of the largest Carrefour entity that benefited from the improper data practices.

The final fines, totaling 3.1 million euros, are only a fraction of what could have been imposed. Under GDPR, EU regulators can levy fines of up to 4% of an organization’s annual global revenue or 20 million euros – whichever is greater – if they violate Europeans’ privacy rights. Thus, Carrefour faced a fine of up to 64 million euros, with the final judgment equaling just 5% of that amount.

Carrefour has two months to appeal the fine, should it choose to do so. The company didn’t immediately respond to a request for comment.

Microsoft Backpedals Over ‘Productivity Score’ Monitoring

General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

User Tracking Eliminated in Microsoft 365 Following Privacy Backlash

Microsoft Backpedals Over 'Productivity Score' Monitoring

Microsoft is revamping its controversial “productivity score” in Microsoft 365 so that individual workers can no longer be tracked. The move follows warnings by privacy advocates that the feature was a step too far into the realm of workplace surveillance (see: Productivity Tools May Be Monitoring Workers’ Productivity).

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

Jared Spataro, corporate vice president for Microsoft 365, says in a blog post published on Tuesday that the feature was designed not to track individuals but to help IT administrators better “measure and manage the adoption of Microsoft 365,” especially given the sudden shift to cloud-based applications and tools for so many organizations during the pandemic.

Microsoft 365 is the company’s cloud-based productivity suite, which includes Office 365 applications as well as Windows 10 Pro and Enterprise Mobility + Security.

“We believe that data-driven insights are crucial to empowering people and organizations to achieve more,” Spataro says. “We also believe that privacy is a human right, and we’re deeply committed to the privacy of every person who uses our products.”

As a result, he says the productivity score feature will no longer display usernames and users’ actions, but will only aggregate the information at an organizational level. “No one in the organization will be able to use productivity score to access data about how an individual user is using apps and services in Microsoft 365,” he says.

The user interface for the feature is being redesigned to emphasize that it is “a measure of organizational adoption of technology – and not individual user behavior,” he says.

How Microsoft calculates productivity scores, an optional feature for businesses that use Microsoft 365 or Office 365 (Source: Microsoft Productivity Score documentation)

Alarm over the feature and its implications had been sounded by journalists and privacy researchers, including Vienna-based Wolfie Christl, as The Guardian has reported.

Jeffrey Snover, a Microsoft technical fellow and its CTO for “modern workforce transformation,” thanked Christl and other privacy researchers who had criticized the feature, saying that it was their “feedback which led to this change.”

Responding to the change, Christl tweeted: “I welcome that Microsoft is making significant changes and will entirely remove individual-level reporting.”

But he noted that this is just one of the features available to organizations that want to monitor employees.

“Microsoft provides usage data for many of its enterprise products in a way that can be exploited for employee monitoring, or is designed for this purpose,” he says via Twitter. “The collection and use of personal data at the workplace generally deserves much more scrutiny and attention. This is not only about ‘privacy,’ but about power asymmetries. A major vendor’s product designs affect the daily lives of millions of employees around the globe.”

Workplace Surveillance Increases

Interest in workplace surveillance tools has been surging as the COVID-19 pandemic continues and many employees continue to work from remote locations.

But under some laws, employers cannot monitor workers at whim or by simply telling them they’re doing so. In Europe, for example, the General Data Protection Regulation safeguards privacy rights by requiring organizations to demonstrate that any technical measures they have in place – including workplace surveillance tools – comply with the law. The organizations must also be transparent about what they are doing.

Jonathan Armstrong, a partner at London-based law firm Cordery, says that, before organizations that must comply with GDPR adopt such tools, they must conduct an impact assessment that demonstrates “the harm we’re trying to fix” as well as how their response to that harm is “proportionate.” He also cautions that productivity tools may have built-in features that can be used to track employees. And he says organizations must account for any such features left activated in their GDPR impact assessments. Otherwise, he says, they run the risk of an investigation by privacy regulators – followed by sanctions – as well as seeing such data get used against them in employee lawsuits.

Artificial Intelligence Capabilities Evolve

As artificial intelligence and machine-learning tools continue to improve, so too does the ability to monitor individuals in previously impossible ways. Numerous governments, for example, have been adopting AI to provide surveillance capabilities.

A number of tools now offer automatic facial recognition. (Source: Amazon)

Such tools are built by organizations in China, the U.S., Japan and elsewhere, with Huawei, IBM, Cisco, ZTE, NEC Corp., Hikvision and Palantir among the world’s top suppliers, according to the Carnegie Endowment for International Peace.

Numerous companies now sell facial recognition technology that has the ability to search for faces. They include Amazon, Affectiva, Google, IBM, Kairos, Microsoft, NEC Corp. and OpenCV. Some of these tools can even be used in real time – for example, to identify individuals in large crowds (see: Amazon Rekognition Stokes Surveillance State Fears).

Fears over such tools – and their potential use by authoritarian governments – has at times provoked a backlash by Silicon Valley employees. But as developers and governments continue their rush to experiment and adopt such technology, some experts warn that security, privacy, data protection and liability questions too often remain unanswered.

Amazon Pitches AWS Panorama

Meanwhile, on Tuesday, Amazon announced a new AI offering, designed for industrial environments and workplace safety applications, that can be used to augment CCTV systems. Built by its cloud arm, the AWS Panorama product is an appliance that plugs into the same network as IP-based CCTVs and can then monitor for a range of employee, facility and environmental conditions.

Source: Amazon

Use cases include counting the number of customers lining up outside a shop or sounding an alarm if any workers are seen not wearing personal protective equipment, Amazon says.

The Financial Times reports that Siemens and Deloitte are among the companies now testing the technology.

An Amazon spokeswoman told the BBC that the focus of the product is on workplace safety and industrial operations, and how it gets configured is up to customers.

“For example, AWS Panorama does not include any pre-packaged facial recognition capabilities,” she said. In addition, all processing happens only on the devices and never leaves the customer environment.

But Silkie Carlo, director of British civil liberties group Big Brother Watch, told the BBC that workplace surveillance “rarely results in benefits for employees.”

Carlo also expressed skepticism over how the product is being marketed. “It’s a great shame that social distancing has been leapt on by Amazon as yet another excuse for data collection and surveillance,” she said.

Ticketmaster Fined $1.7 Million for Data Security Failures

General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response

Following Alerts of Potential Fraud, Ticketmaster Took 9 Weeks to Spot Big Breach

Ticketmaster Fined $1.7 Million for Data Security Failures A view of Ticketmaster UK’s website before the COVID-19 pandemic resulted in live events across Europe being indefinitely postponed

Ticketmaster UK has been fined 1.25 million pounds ($1.7 million) by Britain’s privacy watchdog for its “serious failure” to comply with the EU’s General Data Protection Regulation.

See Also: Ignite ’20: A Conference Preview

Regulators say the company failed to properly secure chatbot software that it opted to run on a payments page, which attackers subverted, allowing them to steal payment card information. After being alerted to suspected card fraud that traced to its site, Ticketmaster UK allegedly failed to mitigate the problem for nine more weeks.

The fine was announced on Friday by the Information Commissioner’s Office, which enforces GDPR in Britain.

Ticketmaster UK says it plans to appeal the ruling. The company is a subsidiary of ticket sales and distribution giant Ticketmaster, owned by Live Nation Entertainment, which is based in Beverly Hills, California.

The ICO, which launched its investigation in June 2018, says the fine only applies to Ticketmaster’s failures following GDPR going into full effect in May 2018. As the investigation concluded before the U.K. left the EU, the ICO says it served as the lead supervisory authority for the EU and that the penalty represents a consensus decision by all data protection authorities across Europe.

2018 Data Breach

The fine announced by the ICO traces to a breach that began in February 2018.

Ultimately, the breach exposed personal details – including names, payment card numbers, expiration dates and CVV numbers – for approximately 9.4 million European Ticketmaster customers, including 1.5 million in the U.K. At least 60,000 Barclays Bank cards have been tied to known fraud, the ICO says, while Monzo Bank replaced 6,000 cards after it detected signs of fraudulent use.

Attackers also compromised details for an unknown number of customers outside the EU, including in Australia and New Zealand.

Security experts say the breach appears to have been tied to groups of attackers – collectively known as Magecart – that implant code on websites that allows them to steal payment card data.

‘Millions … Exposed to Potential Fraud’

Regulators say Ticketmaster’s failure to lock down JavaScript chat software it opted to use on a payments page, as well as its failure to detect and remediate the breach in a timely manner – or fully detail the breach to the ICO within 72 hours of detecting it – meant it violated GDPR in multiple ways.

Europe’s tough new GDPR privacy law came into full effect on May 25, 2018.

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not,” says James Dipple-Johnstone, the ICO’s deputy commissioner.

“Ticketmaster should have done more to reduce the risk” posed by a potential online attack, Dipple-Johnstone says. “Its failure to do so meant that millions of people in the U.K. and Europe were exposed to potential fraud.”

Ticketmaster UK didn’t immediately respond to a request for comment. But in written comments provided to the ICO, as well as a statement issued to the BBC, the firm blamed the breach on Inbenta Technologies, which develops the JavaScript chatbot software Ticketmaster was using.

“Ticketmaster takes fans’ data privacy and trust very seriously,” the company says in its statement. “Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement.”

Attackers Subverted JavaScript Chatbot

When Ticketmaster first disclosed the breach in June 2018, it said attackers had exploited its Inbenta chatbot software to steal data from customers of its Ticketmaster International, Ticketmaster UK, GET ME IN! and TicketWeb sites.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites,” Ticketmaster said at the time.

Security experts say that, because the software was being used on Ticketmaster payment pages, it appears to have allowed attackers to inject JavaScript that allowed them to steal customer details.

Responding to the breach, Inbenta said Ticketmaster should never have been using the custom JavaScript on a card payment page.

“Ticketmaster directly applied the script to its payments page, without notifying our team,” Inbenta Technologies CEO Jordi Torras said at the time. “Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability. The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

Breach Timeline

The ICO’s 73-page monetary penalty notice against Ticketmaster UK says the company missed multiple opportunities to spot and remediate the breach in a more timely manner.

After the breach began in February 2018, representatives from London-based Monzo Bank met with Ticketmaster on April 12, 2018, warning the company that it had traced stolen payment data to Ticketmaster’s site.

According to the ICO, in a meeting about four days later, Monzo provided Ticketmaster with what it described as “smoking gun” evidence: A legitimate customer had entered an incorrect expiration date for their credit card when trying to buy tickets, leading to the transaction failing. “That same payment card and incorrect expiry date was then used in an attempted fraudulent transaction the following Monday,” the ICO reports.

By April 19, 2018, Monzo had decided to replace 6,000 payment cards. It published a statement on its website saying it had been informed by Ticketmaster that its investigation had found no signs that its systems had been breached and said no other card issuers had reported any fraud.

At about that time, however, the Commonwealth Bank of Australia, as well as American Express, Barclaycard and Mastercard “all reported suggestions of fraud to Ticketmaster,” the ICO says. “But the company failed to identify the problem.”

The ICO says that, around May 5, 2018, Ticketmaster hired four digital forensics firms to investigate, but they primarily looked into the Australian fraud reports. The regulator says the investigators “determined that any breach of Ticketmaster’s systems most likely originated out of Ticketmaster’s Australian website, which was largely housed in North American networks and data centers.”

The ICO says that Ticketmaster failed to instruct its incident response teams to investigate any potential breach of its U.K. or European payment systems. After receiving threat intelligence from Visa about malicious, third-party scripts, the incident response team also failed to identify the subverted chat software.

Other indications that something was amiss included a Ticketmaster customer who was using its site in Ireland reporting, on May 31, 2018, that “their anti-virus product … identified Ticketmaster’s website as malicious, in particular the reference to the Inbenta tag,” the ICO notes.

Excerpt from the ICO’s 73-page monetary penalty notice against Ticketmaster UK, issued on Nov. 13

Ticketmaster did not confirm the breach and identify the cause until about three weeks later. On June 23, the JavaScript chatbot was identified as being the cause, and it was deactivated on most sites, except sites in France and on getmain.com, which were disabled the next day.

Right to Respond

The ICO’s fine against Ticketmaster follows the regulator in recent weeks fining British Airways 20 million pounds ($26.4 million) and Marriott 18.4 million pounds ($24.3 million) – the two biggest privacy fines ever issued in the U.K. – for security failures tied to separate breaches suffered or detected in 2018.

One notable aspect of both fines was that they respectively amounted to just 10% and 20% of the penalties the ICO initially proposed in its “notice of intent” to fine the organizations. After an organization has been served with such a notice, it has the opportunity to respond before the ICO sets a final fine.

In the case of Ticketmaster UK, in February, the ICO issued its notice of intent to impose a fine of 1.5 million pounds, after which Ticketmaster exercised its right to respond to the findings in writing. Subsequently, the ICO reduced the fine to 1.25 million pounds.

In determining the fines for British Airways, Marriott and Ticketmaster, the ICO said it factored in their written responses, as well as “the economic impact of COVID-19,” before determining the final penalty (see: Marriott and BA’s Reduced Privacy Fines: GDPR Realpolitik).

Under GDPR, organizations that get fined also have a right to appeal the decision in court. Thus, legal experts say, regulators appear to be trying to set final penalties that will survive such appeals (see: German Court Slashes a GDPR Privacy Fine by 90%).

Of course, the Ticketmaster penalty and others stand as a data security warning to other organizations. “The 1.25 million pound fine we’ve issued … will send a message to other organizations that looking after their customers’ personal details safely should be at the top of their agenda,” says the ICO’s Dipple-Johnstone.

The breach is now the focus of at least one group action – aka class-action lawsuit – filed by Keller Lenkner UK, over the financial and emotional effect on victims.

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million U.K. customers,” Kingsley Hayes, the firm’s head of cybercrime, tells the BBC.

Analysis: Are Marriott and BA’s GDPR Fines Big Enough?

The latest edition of the ISMG Security Report features an analysis of the final EU General Data Protection fines that have finally been imposed on Marriott and British Airways over serious data breaches each suffered.

In this report, you’ll hear (click on player beneath image to listen):

  • ISMG’s Mathew Schwartz reflect on the recent Marriott and BA GDPR fines and the precedent they could set;
  • Krista Tedder, director of payments at Javelin Strategy and Research, and Stu Bradley, vice president of the Fraud and Security Intelligence Division at SAS, analyze the escalation of international digital fraud;
  • Dave Snyder, chief information security leader at Independence Blue Cross, discuss the CISO role and its responsibilities.

The ISMG Security Report appears on this and other ISMG websites on Fridays. Don’t miss the Oct. 23 and Oct. 30 editions, which respectively discuss the significance of Russian hackers’ indictment and post-election cyber disruptions.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.

Marriott and BA’s Reduced Privacy Fines: GDPR Realpolitik

Breach Notification , Fraud Management & Cybercrime , General Data Protection Regulation (GDPR)

Final Fines Set Precedent, Avoid Court Cases, Likely Reflect EU Penalty Benchmarks

Marriott and BA's Reduced Privacy Fines: GDPR Realpolitik JW Marriott Mussoorie Walnut Grove Resort & Spa in Uttarakhand, India (Photo: Marriott)

As demonstrated by large, recently levied privacy fines against the likes of British Airways, H&M and Marriott, the EU’s General Data Protection Regulation is growing up. Relatively large penalties – compared to the pre-GDPR era – are a regulatory reminder of companies’ responsibility to safeguard Europeans’ personal information.

See Also: Live Webinar | Mainframe Security For Today’s Crazy World!

The GDPR privacy law came into full force on May 25, 2018, and requires organizations that process people’s private data to follow a raft of new rules. They include not just ensuring that sensitive data is properly protected, but also giving individuals’ on-demand access to data that organizations store on them, and potentially having to employ a data protection officer.

“The new fines are probably still high by EU standards.” 

In addition, GDPR instituted tough new breach-notification rules, oftentimes requiring organizations that learn they’ve been breached to inform relevant authorities, including their national data protection authority, within 72 hours. Failure to comply exposes organizations to fines of up to 4% of their annual global revenue or €20 million ($23.3 million) – whichever is greater – and potentially also having their ability to process people’s personal data get revoked.

GDPR’s maximum penalties are a substantial increase compared to previous privacy laws – for example, in Britain, where the maximum penalty had been £500,000 ($650,000).

But one frequently heard question since GDPR came into effect has been: How will penalties work in practice?

BA and Marriott Fines Set Precedent

Two years later, the answer to that question is becoming clearer. In the U.K., the Information Commissioner’s Office has recently finalized its two-largest GDPR fines to date, involving:

  • British Airways: A 2018 data breach exposed the personal information for about 430,000 customers, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised.
  • Marriott: A four-year breach of Starwood’s customer database began in 2014, continued even after Marriott acquired Starwood in 2016, and wasn’t discovered until 2018. The breach exposed personal information for approximately 339 million customers worldwide.

In July 2019, the ICO issued notices of intent to fine BA £184 million ($238 million), and Marriott £99.2 million ($128.2 million) fine. While steep, these proposed fines were nowhere near the maximum possible. With $20.8 billion in 2018 revenue, for example, Marriott faced a maximum possible fine of nearly $840 million.

The final fines announced by the ICO are still record-setting for the U.K. But they are also much lower than what was initially proposed – down to £20 million ($26 million) for BA and £18.4 million ($23.8 million) for Marriott.

‘The Fine Reductions Have Been Significant’

What accounts for the radical reduction between the initially proposed and final fines?

“The fine reductions have been significant, however, it is important to remember that these were only ‘notices of intent’ initially and that both were made public by the companies concerned, and not by the ICO,” Jonathan Armstrong, a partner at London-based Cordery, tells me.

Marriott, for example, first disclosed the ICO’s notice of intent to fine in a filing to the U.S. Securities and Exchange Commission, at the beginning of its lengthy negotiation process with the ICO.

Both businesses responded in detail to the ICO as its investigation continued, and the regulator says each one not only assisted, but has since substantially overhauled its security programs and practices.

For BA, the ICO said that the dire economic conditions facing the airline industry had been a major factor in its reducing the fine.

For Marriott, the ICO says that the lower final fine more reflects its evolving Regulatory Action Policy, currently under review, which states that “before issuing fines we take into account economic impact and affordability.”

While admitting no liability, Marriott has also agreed to not contest the final fine. That means the ICO “avoided a costly and possibly lengthy appeal process,” Armstrong says.

Seeking Parity

The final BA and Marriott fines are also more in line with what DPAs in other European countries have been levying.

“The new fine levels have likely also been benchmarked against similar fines across the EU,” Armstrong says. “The amounts in the original notices of intent would have been GDPR’s largest fines by a considerable margin. The new fines are probably still high by EU standards – especially compared with countries like Spain, who have been the most active in levying fines after a data breaches.”

Indeed, last month Spain fined nine different organizations for violating GDPR, with the fines ranging from €3,000 ($3,500) against legal services firm Avata Hispania up to €60,000 ($70,300) against mobile network operator Lycamobile.

The biggest GDPR fine to date has been against Google, which France’s privacy regulator CNIL last year hit with a penalty of €50 million ($59 million) for failing to clearly and transparently inform users about how it handles their personal data, and for failing to properly obtain their consent for personalized ads.

The second largest GDPR fine came to pass last month, when privacy regulators in Germany slammed clothing retailer H&M with a €35.2 million ($41.2 million) fine for improper workplace surveillance practices.

After Final Fines: Legal Peril

Final GDPR fines, however, don’t necessarily spell the end of potential legal peril for breached organizations. “Quite aside from the precise levels of fine, the notices themselves also serve up a number of key findings of fact, which could form the basis of future civil liability for both organizations and data subjects in the coming weeks and months,” privacy attorneys at London-based Mishcon de Reya say in a recent blog post.

Such potential legal perils represent even more reasons for organizations to keep their privacy house in order.

Marriott Hit With $24 Million GDPR Privacy Fine Over Breach

COVID-19 , Cybercrime , Fraud Management & Cybercrime

Privacy Regulator in UK Cautions Organizations to Conduct Thorough Due Diligence

Marriott Hit With $24 Million GDPR Privacy Fine Over Breach London Marriott Hotel County Hall

Hotel giant Marriott has been hit with the second largest privacy fine in British history, after it failed to contain a massive, long-running data breach. But the £18.4 million ($23.8 million) penalty imposed by the U.K. Information Commissioner’s Office was markedly lower than the £99.2 million ($128.2 million) fine that the regulator originally recommended.

See Also: Live Webinar | Mainframe Security For Today’s Crazy World!

The fine, for violating the EU’s General Data Protection Regulation, centers on a massive data breach involving the Starwood guest reservation system. The breach began with an attack against Starwood Hotels and Resorts Worldwide in July 2014. In 2016, Marriott acquired Starwood. But it failed to spot the breach until September 2018.

Exposed data included names, mailing addresses, phone numbers, email addresses, passport numbers and, in some cases, encrypted payment card information. The ICO says the identity of the attacker remains unknown.

Marriott estimates that the breach exposed personal information for approximately 339 million customers worldwide, but cannot give a more precise number, as there may have been multiple records for individual customers.

GDPR empowers EU regulators to levy fines of up to 4% of an organization’s annual global revenue or €20 million ($23.3 million) – whichever is greater – if they violate Europeans’ privacy rights, for example, by failing to secure their personal data.

“Although the fact that Marriott got a much lower fine than originally announced may send out a mixed message, this should not deter organizations from taking data security seriously, and organizations should also bear in mind that class-actions for compensation may yet add to the final bill in cases like this one,” says Jonathan Armstrong, a partner at London-based Cordery.

“Despite the reduction, the case is still a salutary lesson of the need to keep data safe and in particular the need to take care when doing due diligence in acquisitions.”
— Jonathan Armstrong, Cordery

In March, Marriott disclosed a separate breach, which ran this year from mid-January through the end of February and exposed email addresses, mailing addresses, Bonvoy – aka loyalty – rewards numbers and other personally identifiable information for 5.2 million customers (see: Marriott Suffers Another Massive Data Breach). So far it’s unclear if the hotel giant might face fines over breach under GDPR, the California Consumer Privacy Act or other regulations.

Multiple ‘Failures’ by Marriott

Across the European Economic Area – including EU countries and also Iceland, Liechtenstein and Norway – the four-year Starwood breach exposed an estimated 30.1 million individuals’ details, including 7 million U.K. customers’ records.

The ICO says attackers were able to install a web shell on a Marriott website and gain direct access to a server and install a remote access Trojan to maintain persistent, remote access. Later, the attackers deployed open source Mimikatz software to steal passwords, and memory-scraping malware to steal payment card details, investigators say.

“The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organizational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation,” the ICO says in its penalty notice.

Based in Washington, Marriott International has over 7,300 hotel and guest properties in 134 countries and territories around the world. In addition to the Marriott name, its 30 brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. In 2019, the company had $20.9 billion in revenue.

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” says U.K. Information Commissioner Elizabeth Denham.

“When a business fails to look after customers’ data, the impact is not just a possible fine,” she adds. “What matters most is the public whose data they had a duty to protect.”

Marriott Apologizes

Marriott has continued to apologize for the breach and has also retired the Starwood database that was originally hacked in 2014.

“Marriott deeply regrets the incident,” the company says in a statement. “Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognizes the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

The company says it will not contest the final fine. “Marriott does not intend to appeal the decision, but makes no admission of liability in relation to the decision or the underlying allegations,” it says. “As the ICO acknowledges, Marriott cooperated fully throughout the investigation.”

COVID-19’s Impact

One notable aspect about the fine imposed on Marriott is that it is just one-fifth of the fine that the ICO originally recommended in July 2019, which Marriott had contested.

But the reduction is not nearly as big as with the final fine that the ICO recently imposed on British Airways, in connection with a 2018 data breach that exposed the personal information of about 430,000 customers, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised. In its initial July 2019 penalty notice, the ICO had proposed fining BA a record £184 million ($238 million). But last month, the regulator issued a final fine of just £20 million ($26 million).

Legal experts say the final fines being lower than the proposed penalties is not surprising. Indeed, the ICO earlier this year noted that because of the ongoing coronavirus outbreak, it planned to adjust its regulatory approach, not least because of the staffing and financial impact that COVID-19 was having on organizations (see: GDPR and COVID-19: Privacy Regulator Promises ‘Flexibility’).

Under GDPR, after proposing a fine, regulators have 12 months to issue a final fine, unless it proposes delaying the imposition of the fine, and the organization that is being investigated agrees.

Both Marriott and BA had agreed to delays in their final fine.

In the case of BA, which has been especially hard hit by the pandemic, “as part of the regulatory process, the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty,” the regulator said last month.

The ICO says it took the same approach with Marriott. “As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty,” it says.

“The ICO acknowledges that Marriott acted promptly to contact customers and the ICO,” it adds. In addition, Marriott “acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.”

Fine Represents Full EU Penalty

The ICO has also clarified that its penalty represents the only GDPR fine that Marriott will face over this breach. Legal experts said that with Britain having exited the EU on Jan. 31 – via its Brexit process – it was unclear if the remaining 27 EU member states’ data protection authorities might need to commence a fresh investigation.

“Because the breach happened before the U.K. left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR,” the ICO says. “The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.”

Cordery’s Armstrong says the Marriott breach – reduced fine or not – remains a cautionary lesson for any organization involved in mergers or acquisitions.

“Despite the reduction, the case is still a salutary lesson of the need to keep data safe and in particular the need to take care when doing due diligence in acquisitions,” he says.

Class-Action Lawsuits Continue

Marriott seeing the ICO end its investigation is not the end of the legal challenges the hotel giant faces over the Starwood breach.

Numerous civil lawsuits remain ongoing, including a class-action lawsuit filed in England and Wales in August, under GDPR.

The company also faces lawsuits in Canada, and in the United States, a judge in early 2019 combined 11 class action lawsuits over the breach into a single one. In February, a judge ruled that the lawsuit in the U.S. against Marriott should proceed.