In the BA notice, for example, the ICO highlighted that the attacker had gained initial access to BA’s network using compromised credentials of a user within a third party supplier who was accessing the BA network remotely. The attacker was then able to “breakout” from the remote access systems into the wider network BA operated.
The ICO referred to a range of guidance in the public domain prior to the GDPR taking effect that it said highlighted the risk of a “supply chain attack” and which set out steps organisations could take to “address the threat of such an attack”. Examples cited in this regard included:
- The Centre for the Protection of National Infrastructure’s (CPNI) good practice guide of April 2015, entitled ‘Mitigating security risk in the national infrastructure supply chain’;
- Supply chain security guidance issued by the National Cyber Security Centre (NCSC) in January 2018 which supplemented the CPNI guidance;
- The ICO’s own ‘GDPR security outcomes’ guidance of April 2018;
- The ‘Top Ten Proactive Controls 2016’ as listed by the Open Web Application Security Project (OWASP);
- The US National Institute for Standards and Technology’s (NIST’s) 2016 guidance entitled ‘Back to basics: multi-factor authentication’
In the Marriott case, the ICO focused its scrutiny not on the initial security breach, but on the lack of “appropriate and adequate” security measures Marriott had in place for identifying the breach and for preventing “further unauthorised activity”.
The ICO said in particular that there was a “failure to put in place appropriate ongoing monitoring of user activity, particularly activity by privileged accounts”. Again the ICO sought to flag these failings in the context of guidance in the public domain. It referred to:
- The NCSC November 2018 guidance entitled ’10 steps to cybersecurity: guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cybersecurity’;
- The NCSC January 2018 guidance entitled ‘Introduction to identity and access management’.
The ICO said: “Both examples of NCSC guidance detail the basic need for multiple security techniques, processes and technologies in order to secure systems. Accordingly, Marriott ought to have been aware of the need to have multiple layers of security in place in order to adequately protect personal data.”
While Marriott had applied multi-factor authentication controls and had other “additional security measures in place”, the company “ought to have had in place better monitoring of user activity to aid in the detection of an attack, as an additional layer of security”, the ICO said.
The ICO said Marriott could have gone further too to exercise control over critical systems. It said it “would have been appropriate for Marriott to implement a form of server hardening as a preventative measure”, citing in particular the use of ‘whitelisting’ as a means of limiting user access controls to specific systems or software in a way which corresponds with their role.
The ICO highlighted the fact that this kind of security measure had been recommended in:
- The NCSC ’10 steps to cybersecurity…’ guide;
- The NCSC’s ‘Cyber Essentials’ guidance, published in October 2015;
- NIST’s October 2015 guide to application whitelisting
While the ICO, like other European data protection authorities, will ultimately assess compliance against the black letter law of data protection law, its action against BA and Marriott highlight the importance the authority places on adherence to cybersecurity guidance in the public domain.
In referencing guidance from NIST in the two cases, the ICO is making clear that, in the case of multinational businesses at least, it will expect companies to maintain awareness of prominent guidance developed not just in the UK but in other jurisdictions too.
The Marriott case: other notable insights
In the Marriott case, the ICO also provided some clarity on the question of when a personal data breach is considered to be reportable under the GDPR.
Under the GDPR, organisations must notify relevant data protection authorities of personal data breaches “without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
ICO disagreed with Marriott’s submission that data controllers must be reasonably certain that a personal data breach has occurred before their obligations to report the breach are triggered. Instead, the ICO held that test of whether an incident is reportable is that the “data controller must be able to reasonably conclude that it is likely a personal data breach has occurred”.