Information Security after BA and Marriott: the other “new normal”

The ICO's long awaited penalty notices for the data breaches involving British Airways and Marriott were at last issued in late October. The notices have been reported on extensively and there are numerous points of interest in both (almost worth the wait!).

The ICO's approach to enforcement

There is extensive discussion in both notices about the process of regulatory enforcement and considerable insight into the logic and thinking applied by the ICO when suggesting and finalising fines, particularly when read alongside the ICO's relatively newly published draft statutory guidance on its regulatory action policy.

These aspects of the notices are worth their own detailed analysis (we love a bit of enforcement nerdery) but our 'one liner' by way of key practical takeaway is that an organisation's conduct following discovery of a breach really, really matters. This isn't 'new' news (think back to fines for Talk Talk (x2), Equifax, Uber and the ICO's commentary on the conduct of the parties) but the reinforcement of this message in the notices couldn't be clearer.

Secondary to that (secondary only because, frankly, you have to hope not to get there) is that it's almost certainly going to be worth a challenge to any notice of intention to issue a penalty. Both BA and Marriott launched vigorous (and ultimately very successful) challenges to the ICO's original proposed fines, bringing the combined total of the fines across the two organisations down from an aggregated £282 million to an aggregated £38.4 million

Information security

The main focus of this article is the learnings to be taken away from the information security 'post-mortem' included in each of the notices. These sections of the notices ("Circumstances of the Failure: Facts" and "Circumstances of the Failure: Breaches") are certainly worth a read for anyone interested in information security (i.e. ideally everyone – we all need to speak this language whatever our remit and role within a business).

As with the points above, not a lot of this is 'new' news, but we must assume that the requirements outlined in the notices will be the new baseline in terms of the ICO's expectations and should therefore become a new 'hygiene factor' threshold to meet in terms of information security market practice. In other words, have you digested the BA and Marriott notices and implemented measures that you might have omitted to implement before?

The four key lessons/themes in our view are as follows:

One: back to basics

Pay attention to what's going on in the outside world.

BA had failed to implement measures recommended by Citrix, the supplier of BA's remote access technology, in response to known weaknesses. Guidance was widely available but BA hadn't acted. Similarly, the notices refer repeatedly to BA and Marriott having failed to implement security measures that were well established, generally well understood and well publicised by both the UK's National Cyber Security Centre and the US National Institute of Standards and Technology.

Don't fall down on the fundamentals.

For example, make sure you are implementing the "principle of least privilege" when it comes to access controls, don't store domain administrator account credentials in plain text allowing an attacker to upgrade their own systems access privileges, and make sure your wrap-up processes when moving systems from development to production are robust enough to identify datasets left behind. Lastly, just because systems or servers are about to be retired does not mean you can relax (if personal data is still being processed, you still need to make sure that your security is appropriate).

You cannot outsource accountability.

You are still on the hook, even if you outsource elements of your information security to big, sophisticated suppliers or partners (Accenture, in Marriott's case). Similarly, simply putting agreements in place with organisations accessing or otherwise processing your data is not enough – you must carry out due diligence and audit, and you must implement technical controls as well as simply being able to point to contract terms. BA came unstuck because a supplier's employee (based in Trinidad and Tobago) had their log-in credentials compromised and it wasn't enough for BA to simply point to documents requiring the supplier to meet certain standards – BA should have implemented technical controls itself.

Live your policies.

BA found themselves in the unfortunate (and – as it turned out – largely indefensible) position of having a policy that required multi-factor authentication (MFA) on all remote access systems, but having 13 out of 243 such systems not in fact subject to MFA. BA was unable to produce documented risk assessments showing its rationale for having failed to apply MFA, nor could BA demonstrate alternative adequate measures applied to manage the risk of the failure, meaning that it was unable to demonstrate that it had applied appropriate security.

Two: beware taking your 'risk based approach' too far

It's not all about payment card data.

The ICO was very clear that it considered that Marriott focused on payment card data (i.e. its PCI-DSS obligations) to such an extent that Marriott had taken its eye off the ball in relation to the protection of other personal data for which it was responsible. The measures applied to Marriott's payment card data should have been applied over and above adequate security measures applied to other critical systems.

Show your working.

If you have omitted to implement certain security measures (particularly if those measures are required by your own policies – see above), then be prepared to evidence your thinking and demonstrate how you've fulfilled your obligations – ideally you need to be able to demonstrate what you have implemented instead. In other words, if you are taking a risk-based approach (and who doesn't?) this needs to be deliberate and considered and still amount to "appropriate" security.

The standard for critical systems will always be high.

Even if you are taking a risk-based approach, certain minimum standards will always be expected in relation to your critical systems. Think MFA, encryption and server hardening (including whitelisting – or, as we prefer, allowlisting or similar).

Three: monitor, monitor, and monitor some more

Secure the perimeter, but that's far from the end of the story.

Both notices refer extensively to monitoring of activity on systems, on databases and of users. There is a clear acknowledgement that appropriate information security is not just about preventing an attack – this won't always be possible. You need to have implemented extensive logging and monitoring processes. Look for unusual user activity; look for exports from or unusual activity within databases. Monitor the accounts with highest privilege the most closely since these can clearly cause or facilitate the most damage.

Spot the difference.

Good situational awareness and an understanding of what your normal system activity looks like is absolutely fundamental to being able to identify a data breach quickly and contain the activity of an attacker. Sophisticated alert/warning systems will be completely redundant if you don't have logging and monitoring processes in place in the first place in order to spot activity that doesn't look 'normal' and consequently trigger the alerts.

Four: the quality of your M&A due diligence counts

Invest in independent security reports.

Marriott relied on independent reports into the use of MFA when acquiring Starwood (the company whose systems were ultimately compromised leading to the breach). The reports turned out to be incorrect (i.e. MFA was not in place to the extent that Marriott had believed it to be).

The independent reports were carried out prior to and following completion of the acquisition. The ICO decided that Marriott's reliance on the reports did not amount to a breach. The obvious question is whether Marriott would have been deemed more culpable had they relied only on a management-led due diligence process, without investing in independent security reports. We think so.

Know what you don't know.

Even if you commission independent information security reports as part of a corporate acquisition process, that's not the end of the story. You need to assess and account for the limitations of those reports: what don't they tell you? Similarly, what don't your post-acquisition penetration tests or other audits tell you? Identify, prioritise and plug the gaps.

Buyer beware.

Unfortunately for Marriott, the serious deficiencies in Starwood's system security allowed the attacker to gain access prior to Marriott's acquisition. Marriott continued to operate those systems and, as such, took on responsibility for the failings. The lesson here is pertinent to both the due diligence process but also the post-acquisition integration – buyers will need to act quickly.

We often find ourselves working alongside clients looking to embed a culture of proactive risk mitigation in the context of information security. From our perspective, culture is absolutely key. The points discussed above may in places seem technical and would therefore be easy to write off as being an issue for an IT or Information Security team. We know that for this to work well, information security needs to be in the day to day consciousness of boards, HR teams, marketing teams, operations, digital – just about everyone. The notices issued to BA and Marriott are helpful reminders of how easy it is for even the largest and most sophisticated organisations to miss the basics when it comes to information security and data compliance.

If we can help or if you would like to chat things through, please do get in touch. Our team can support with proactive risk mitigation as well as incident/breach response and would be delighted to help.