Publication date: 7 February 2023

Enforceable undertaking

under s 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth).

This undertaking is offered to the Australian Information Commissioner by:

Marriott International Management Company B.V. (Australian Branch) and Marriott International, Inc.

Level 5, Marriott International, 161 Elizabeth St, Sydney NSW 2000, Australia (ABN 13 094 976 039) and 7750 Wisconsin Avenue, Bethesda, MD 20814, United States of America.

Marriott International Management Company B.V. (Australian Branch) and Marriott International, Inc. (collectively, ‘Marriott’) offer this enforceable undertaking under s 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (the Regulatory Powers Act) to address matters within the scope of the investigation that the Australian Information Commissioner (the Commissioner) commenced on 6 January 2020 under s 40(2) of the Privacy Act 1988 (Cth) (the ‘Commissioner’s Investigation’).

Subject to paragraph 30 below, the Commissioner’s Investigation into Marriott will conclude on acceptance of this enforceable undertaking, including in respect of any of Marriott’s affiliated or associated entities worldwide.

Marriott gives this enforceable undertaking on a without prejudice basis, and without any admission of liability as to the matters raised in the Commissioner’s Investigation. In giving this enforceable undertaking, neither Marriott nor any of its affiliated or associated entities is precluded from taking any position or relying on any facts or factual statements in any legal or regulatory proceedings in Australia or in any other jurisdiction in relation to any matter that was within the scope of the Commissioner’s Investigation or which otherwise relates to the Starwood Security Incident (defined below).

The Commissioner’s acceptance of this enforceable undertaking is not a finding that Marriott has contravened the Privacy Act or the Australian Privacy Principles.

In agreeing to this enforceable undertaking, the Commissioner acknowledges that Marriott has made available all requested information to the Commissioner in relation to the Starwood Security Incident and the changes that have been made to Marriott’s IT systems and security environment following that incident.

Background statement

The Australian Information and Privacy Commissioner has accepted a court-enforceable undertaking from Marriott International Management Company B.V. (Australian Branch) and Marriott International Inc (together Marriott) in relation to a data breach involving unauthorised access to one of its guest reservation databases.

The enforceable undertaking has been published here.

This binding commitment follows an investigation by the Office of the Australian Information Commissioner (OAIC) into the steps Marriott took to protect the personal information it held within the Starwood guest reservation database. This database was subject of unauthorised access by an unknown actor between 2015 and 2018, resulting in the potential unauthorised access of up to 2.2 million records allocated to Australian guests. Marriott has estimated that globally 339 million guest records were affected in total. Australia’s notifiable data breaches scheme did not apply at the time of the breach.

The investigation noted Marriott’s response to the unauthorised access, including the decommissioning of the Starwood guest reservation database and implementing a number of security and monitoring enhancements to protect its broader systems. Marriott also established a claims process for individuals where there was evidence of fraud associated with their compromised passport numbers.

The enforceable undertaking requires Marriott to continue its enhanced security and monitoring activities for a period of 5 years and engage an independent third party to assess these controls. Marriott must continue to respond to all queries and complaints raised by Australians affected by the unauthorised access and engage a leading security firm to monitor for evidence of any public disclosure or unauthorised use of personal information for a period of 12 months.

In accepting the undertaking, the Commissioner considered the actions taken by Marriott to remedy and address the conduct and consequences of the breach, and the impact of other regulatory action taken by international counterparts in providing specific and general educational and deterrent value. This includes the issuing of a monetary penalty notice by the UK Information Commissioner’s Office and the publication of an investigation report by the Office of the Privacy Commissioner of Canada.

The OAIC may take court action at any stage if Marriott does not fully comply with the terms of the undertaking.

Further information about enforceable undertakings and the OAIC’s regulatory action policy is available on the OAIC website.

Definitions and interpretation

Definitions

1 ‘Core Undertaking’ refers to each of the undertakings set out in paragraphs 21 to 24.

2 ‘Payment Card Industry Data Security Standard’ (PCI DSS) refers to the information security standard of the Payment Card Industry Security Standards Council.

3 ‘Starwood guest reservation database’ refers to the global database housed and managed centrally by Starwood Hotels and Resorts Worldwide Inc. (Starwood).

Interpretation

4 Terms used in this enforceable undertaking that are defined in the Privacy Act will have the same meanings given to those terms in the Privacy Act.

5 The words ‘includes’ and ‘including’ and similar expressions are not used, or intended to be interpreted, as words of limitation.

Details of the incident and Marriott’s response

6 An unknown actor accessed certain IT systems of Starwood (the ‘unauthorised access’), namely the Starwood IT systems (the ‘Starwood network’) and Starwood guest reservation database (collectively, the ‘Starwood systems’). Using the unauthorised access, there is evidence to suggest that the unknown actor may have accessed different records contained in the Starwood guest reservation database on four or a maximum of five occasions between 2015 and 2018, including potentially up to 2.2 million records allocated to Australian guests (the ‘Starwood Security Incident’). While Marriott used a process to identify and deduplicate records from the affected dataset, this process was unable to remove all duplicate records and, as such, it is likely that the total number of records corresponding to Australian guests involved in the Starwood Security Incident was fewer than 2.2 million. Further, the number of guest records potentially involved is different from the number of unique Australian individuals whose personal data may have been involved in the incident, the number of which Marriott believes to have been considerably lower still.

7 The 2.2 million records referred to above include:

  1. 685,326 Australian passport numbers (of which 453,038 were encrypted);
  2. the encrypted hash value of 254,345 payment card numbers attributed to individuals resident in Australia, and fewer than 80 potential payment card numbers attributed to individuals resident in Australia that were present in database fields that were not designed for the input of payment card information (and were, as a result, not encrypted); and
  3. 252,000 guest records associated with an Australian based hotel.

8 In September 2016, Starwood was acquired by Marriott International, Inc. At the time of the acquisition, Marriott was not aware of the unauthorised access to the Starwood systems. The pre-acquisition due diligence Marriott was able to conduct was necessarily limited by the nature of a public company takeover process in the United States. The due diligence that Marriott was able to perform during this period indicated a mature IT security environment and did not raise any ‘red flag’ IT security issues. Following the acquisition, Marriott maintained the Starwood systems separately from Marriott’s own systems with a view to implementing a phased decommissioning of the Starwood systems.

9 In September 2018, a monitoring tool deployed in respect of the Starwood guest reservation database alerted an indicator of potential unusual activity with respect to the Starwood guest reservation database.

10 Third party forensic experts were engaged from September 2018 to investigate the potential unusual activity. Responding to the findings of these forensic experts, Marriott successfully contained and remediated the Starwood Security Incident by implementing additional protective and monitoring measures across the Starwood systems, including in respect of the Starwood guest reservation database.

11 The immediate containment measures implemented by Marriott in the Starwood network included deployment of an endpoint threat detection and response tool, password resets, firewall rule blocks, malware removal, additional access controls, and system rebuilds. Most of these measures were completed within September 2018.

12 On 19 November 2018, the forensic investigation provided indicators that the unknown actor may have accessed records containing personal information in the Starwood guest reservation database related to Starwood guests. The unauthorised access took place through installation of malware including, specifically, a web shell on an external facing web server and installation of a Remote Access Trojan.

13 The records involved in the Starwood Security Incident included:

  1. Guest-related data (including numerical identifiers to identify the guest, guest name, gender, date of birth, whether the guest had been identified as a VIP (including a separate VIP code), whether the guest was a member of the Starwood loyalty programme and their account information, mailing address, passport country code and name, passport number, phone number, fax number, email address, encrypted and unencrypted payment card numbers and expiration date. As noted above, virtually all payment card numbers and the substantial majority of passport numbers were encrypted.
  2. Guest stay-related data (including a central reservation confirmation number, a unique numerical room identifier, room type, the total number of guests in the room (including the number of adult and child guests)), number of cribs used in the room, number of rollaway beds designed for adults and number of rollaway beds designed for children, arrival date and time, departure date, whether the guest has checked in, and flight number and airline code.

14 In November 2018, Marriott informed the Commissioner of the Starwood Security Incident. On the same day, Marriott issued a press release about the Starwood Security Incident. Marriott also notified Starwood guests whose personal information may have been compromised in the Starwood Security Incident, established a designated website and call centre support (with local Australian telephone extensions (among others)) to provide updates to Starwood guests, and offered guests the opportunity to enrol in a personal information monitoring service free of charge for one year. Marriott also established a claims process for Starwood guests whose passport numbers had been verified as being part of the determinate unencrypted passport set compromised in the Starwood Security Incident and where evidence of fraud was provided.

15 As at the date of this undertaking, Marriott advises that it has not received any substantiated claim for financial loss arising from the Starwood Security Incident, and that it is not aware of any evidence of any other actual harm to an individual resulting from this incident, nor is there evidence of any phishing attack or other misuse of personal information. Marriott has been monitoring for such disclosure or activity through the engagement of leading security firms since becoming aware of the potential unauthorised access to records containing personal information in the Starwood guest reservation database.

16 In response to the Starwood Security Incident, Marriott undertook a range of activities to:

  1. shut down the Starwood systems. Marriott decommissioned the Starwood guest reservation database in December 2018. The Starwood guest reservation database and the Starwood network are no longer being used for business operations; and
  2. further enhance the security and monitoring measures protecting Marriott’s separate systems and its security environment, including, among other things:
    1. Modernising identity access management
      Implementing identity access management tools to provide better protection of privileged accounts, restrict access to those individuals approved for a specific business need, and increase visibility and control over devices that join the Marriott network through discovery technology and network access control.
    2. Broadening deployment of multi-factor authentication
      Further expanding deployment of multi-factor authentication across Marriott’s systems, including those used to access web-based and extranet applications, Office365, critical servers, network resources, Linux systems, and cloud environments.
    3. Enhancing network segmentation
      Continuing to work on isolating data based on sensitivity and risk, including by further enhancing Marriott’s network segmentation.
    4. Endpoint detection
      Accelerating the roll-out of advanced endpoint threat detection tools to over 200,000 devices, thereby expanding the ability to identify and address vulnerabilities in its computing environment and applications before the vulnerabilities can be exploited.
    5. Information security applications & systems assessments
      Performing information security and vulnerability assessments on its reservation systems and other high-value targets, applications, cloud environments, as well as other high-risk environments to enhance the resiliency of those targets.
    6. Personal data security enhancements
      Improving personal data security controls using data access standards and additional database controls and continuing to improve data management with a goal of minimising the data that Marriott collects and retains.
    7. Vulnerability management
      Investing in tools to identify vulnerabilities and continuing to prioritise vulnerability remediation. Likewise, Marriott has been focused on secure code development practices, including investments in software code vulnerability scanning tools to identify vulnerabilities during the code development stage so that fixes are deployed before code is placed into production.
    8. Improved cyber security incident response capabilities
      Investing in additional staff, executive tabletop exercises, and insider threat tools to monitor and analyse user and entity behaviour for malicious activity. Marriott also implemented an updated incident case management tool to scale its incident response and allow for effective coordination across the company.
    9. Security governance and enhancing compliance tools
      Improving information security governance to promote cyber risk awareness and embed security in all new business discipline initiatives. Increasing visibility and control over devices that join Marriott's network through discovery technology and Network Access Control (NAC), and extending the capacity needs of intrusion protection and detection (IPS) to meet the internet traffic needs of business at the data centres.
    10. Other operational improvements
      Investing in additional staff for security project management, security architecture and other overall support, and additional secure coding training for developers.

Marriott has provided detailed information about its additional security measures to the Commissioner on a confidential basis in response to the Commissioner’s Investigation.

The Commissioner’s investigation

17 On 6 January 2020, the Commissioner notified Marriott that she had initiated an investigation into Marriott in relation to the Starwood Security Incident, which the Commissioner believed may have interfered with the privacy of individuals within the meaning of the Privacy Act.

18 As a result of the Commissioner’s Investigation, the Commissioner held concerns including that in respect of its obligations under APP 11.1 of the Privacy Act, Marriott did not take reasonable steps in the circumstances to protect the personal information it held in the Starwood systems from misuse, interference, or loss and from unauthorised access, modification and disclosure. The Commissioner’s concerns included that Marriott had:

  1. insufficient monitoring of access and use of its databases and network; and
  2. inadequate authentication protection to secure the personal information held.

Term of undertaking

19 This undertaking comes into effect on the date that it is executed by Marriott and accepted by the Commissioner (the ‘Commencement Date’).

20 This undertaking ceases to have effect five (5) years from the Commencement Date.

Documentation and maintenance of current security measures

21 Marriott undertakes in accordance with APP 11 to:

  1. Continue to implement or otherwise maintain the security measures described in paragraph 16 above and in Marriott’s responses to the Commissioner’s Investigation or alternative measures as appropriate based on evolving technology, accepted practices, and/or the regulatory requirements and obligations Marriott is subject to either now or in the future (provided that, for the avoidance of doubt, Marriott is only responsible to the Commissioner for compliance with Australian law).
  2. Take all reasonably necessary steps to ensure that any changes made to Marriott’s information security framework and processes in Australia after the Commencement Date do not materially degrade or materially reduce the overall level of protection afforded to individuals’ personal information in compliance with Australian law.
  3. Continue, through an appropriate governance process to monitor and oversee the effectiveness of the privacy and security risk management strategy set by Marriott’s privacy and information security leadership and policies (including in relation to Marriott’s information security, data collection, encryption, retention processes as applicable in Australia).

Independent assessment

22 Marriott undertakes in accordance with APP 11 to:

  1. Continue engaging an independent third party (or parties) to assess, during 2023 and 2025, Marriott’s information security controls provided for under paragraph 21(a) above.
  2. Continue engaging an independent third party (or parties) to audit, at least annually, Marriott’s security compliance with the PCI DSS for its reservations system for a period of 5 years from the Commencement Date.
  3. Take appropriate actions to remediate any material security control weaknesses or gaps identified by the assessments carried out under paragraphs (a) and (b) above.
  4. If necessary, evaluate and update policies (referred to at paragraph 21(c) above) in light of any weaknesses or gaps identified.

Review and test Incident Response Plan

23 Marriott undertakes in accordance with APP 11 to

  1. continue to monitor the effectiveness of Marriott’s Global Information Security & Privacy Incident Response Plan (Incident Response Plan) on no less than an annual basis.
  2. If necessary, evaluate and revise the Incident Response Plan in light of such testing and review.

Respond to queries and complaints

24 Marriott undertakes to:

  1. Continue to respond in accordance with Australian law and the Privacy Act to all queries or complaints raised by individuals (whether raised directly with Marriott or through the Commissioner) in relation to the Starwood Security Incident.
  2. Continue to monitor, through the engagement of leading security firms as described at paragraph 15, for evidence of public disclosure or unauthorised use of personal information of individuals covered by the Privacy Act as a result of the Starwood Security Incident for a further period of 12 calendar months from the Commencement Date, and to promptly notify the Commissioner and any affected individuals if Marriott discovers evidence that confirms unauthorised public disclosure or use.

Reporting to the Commissioner

25 Marriott undertakes to make available to the Commissioner a copy of each of the third party’s written reports referred to in paragraphs 22(a) and (b) above within thirty (30) days of the completion of such a written report.

26 Marriott also undertakes to provide a written declaration to the Commissioner on or around the first four anniversaries of the Commencement Date, signed by an appropriate senior officer of the company, and having regard to the third party assessments referred to in paragraphs 22(a) and (b), to the extent available at the time, that:

  1. Marriott is in compliance with its Core Undertakings; or
  2. specify any action that Marriott should take to ensure that it complies with the Core Undertakings (Implementation Actions); and (if applicable)
  3. set out a plan, including time frames, for Marriott to take the Implementation Actions (Implementation Plan), which will be completed within 12 months following each such declaration, or within such other time frames agreed between Marriott and the Commissioner.

27 Marriott undertakes to compete the Implementation Actions in accordance with the Implementation Plan, or if applicable, any reasonable alternative or course of action that Marriott proposes to take in respect of such identified actions within 12 months of the date of each such declaration, or within such other time frames agreed between Marriott and the Commissioner.

Provision of information to the Commissioner

28 Marriott will provide or make available to the Commissioner all relevant documents and information requested by the Commissioner from time to time (save for any documents the subject of a claim for legal professional privilege) for the purpose of assessing Marriott’s compliance with the terms of the Enforceable Undertaking.

Acknowledgements

29 Marriott acknowledges that the Commissioner:

  1. will publish this undertaking as well as a summary of the undertaking, on the OAIC website, excluding any confidential schedules;
  2. may issue a statement on the execution of this undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking; and
  3. may publicly refer to this undertaking.

30 Marriott acknowledges that:

  1. The Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate or pursue other enforcement options available to the Commissioner in relation to any contravention that is outside the scope of the Commissioner’s Investigation or which is not related to the Starwood Security Incident.
  2. This undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct.
  3. If the Commissioner considers that Marriott has breached the Enforceable Undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce this undertaking under s 115 of the Regulatory Powers Act.

Confidentiality of information provided to OAIC

31 The Commissioner and the OAIC acknowledge that information provided by Marriott in accordance with the Enforceable Undertaking may contain sensitive commercial and security information. The Commissioner acknowledges that this information is provided by Marriott in confidence.

32 The Commissioner and the OAIC will only:

  1. disclose any commercial-in-confidence information with Marriott’s written consent and agreement, unless otherwise required by law; and
  2. use any commercial-in-confidence information for the Commissioner’s privacy regulatory activities or as otherwise required by law.

Other matters

33 Marriott will pay the costs of compliance with this Enforceable Undertaking.

34 Marriott nominates Marriott International, Inc.’s Chief Information Security Officer, as the person responsible for overseeing compliance with the requirements of this Enforceable Undertaking and reporting to the OAIC. Marriott has provided the OAIC with this person’s contact details as at the date of this Enforceable Undertaking and will notify the OAIC within a reasonable period if there are any changes to the identity of this person and/or their contact details.