We are all just prisoners here of our own device
It is doubtful that Messrs. Felder, Frey and Henley had intended this line to construed in the context of the General Data Protection Regulation but if the lyric fits…
The Information Commissioner’s Office (ICO) recently published its final decision following a cyber-attack in 2014 which compromised the personal data of 339 million hotel guests including their:
- email addresses
- phone numbers
- unencrypted passport numbers
- arrival/departure information, guests’ VIP status
- loyalty programme membership number
The breach remained undetected until 2018.
It transpired that an unknown hacker had installed a piece of code known as a “web shell” onto a device in the hotel company’s system giving them the ability to access and edit the contents of this device remotely.
Malware was installed to give the hacker access as a privileged user with unrestricted access to devices on the network. They were also able to harvest login credentials for additional users within the network to access and export the database storing reservation data.
In 2019, the ICO issued a notice of intent to fine. The penalty only relates to the breach since GDPR came into effect in 2018.
Confirming the financial penalty, the Information Commissioner, Elizabeth Denham, said:
Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not. When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.
Meanwhile, back in Hotel California:
You can check out any time you like, But you can never leave
To find out how delivering unique, engaging content to your law firm clients can help to transform your bottom line, get in touch.