Marriott Faces MASSIVE Fine Over Data Breach

Filed Under: Marriott

Just yesterday I wrote about how British Airways is facing a massive fine over the data breach that happened last year. Under the UK’s General Data Protection Regulations (GDPR), which were implemented last year, the UK’s Information Commissioner’s Office (ICO) is slapping them with a £183m fine.

British Airways is now facing the consequences of this breach under GDPR, and their fine is massive. British Airways is looking at a £183m fine from the Information Commissioner’s Office (ICO) for last year’s data breach.

Well, they’re not the only company looking at a massive fine. Remember Marriott’s data breach from last year (which Marriott handled horribly)? This first came to light in November 2018, and contained records for about 339 million guests globally, including information of seven million UK residents.

Well, it has just been announced that the UK ICO is fining Marriott a total of £99,200,396 in relation to this data breach.

Marriott has the right to respond before any final determination is made, and the company does plan on contesting this.

Information Commissioner Elizabeth Denham had the following to say regarding this:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott CEO Arne Sorenson had the following to say:

“We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

Bottom line

These massive fines will no doubt give a lot of executives pause. I expect that this will only be the beginning of these kinds of fines, which are otherwise unprecedented. With fines being for up to 4% of annual global revenue for big companies, we could continue to see fines this massive.

However, at some point one has to wonder if all of this isn’t just a bit extreme. Obviously these were massive breaches, but seeing nine figure fines is something, alright. Furthermore, it’s not like this money is going to those who were impacted by these breaches…

What do you think — yay that companies are being held accountable to this extent, or is this all a bit over the top?

  1. They should me made to pay but as you point out, the money should go to the “victims” whose data has been compromised

  2. Not extreme at all, especially given Marriott’s handling of the situation. These companies that willfully keep sensitive information should be held accountable by governments when they fail to meet reasonable and accepted IT security standards.

  3. This is just a money grab by the government. The money should go to better IT or the people who had their data stolen.

  4. If you’re an executive of a major global corporation, at what point do you begin to rethink your strategy in Europe? If these fines become the norm, I can’t imagine businesses will be hurrying to expand their operations there.

  5. Totally justified. These massive companies that place fast & loose with private data need to start being more careful.

  6. Heres a radical idea, how about build proper IT security. Sure there might be dip in c-suite bonus for a while but in the long run it will be better for everyone.

    The main issue today is that there is no penalty (until now) for skimping on IT security.

  7. @ Jack

    Ha! I love your naive belief that companies would willingly spend mega-sums on properly protecting their customers’ data without the incentive of these massive fines.

    As avgeeks, we all know about the punitive fines associated with EU261 compensation delays. The whole point of that regime is that it is to incentivise companies not to operate with delays. The EU and the national goverments don’t see EU261 as a mechanism to transfer cash to us punters — they see it as an incentive for companies to do the right thing (or face the price of failing to prioritise their customers).

    These GDPR fines are exactly the same. For far too long many multinationals have been incredibly casual about our personal data. They haven’t bothered to invest in IT systems and security to keep our private data safe — why should they, when there’s little cost to them other than a bit of embarrassment if there’s a data breach?

    But now, they are all incentivised to protect our data. The GDPR fines are not a faux-tax grab. They are an attempt to make companies do what they should have been doing all along. This legislation will be considered a huge success when no company is fined for data breaches — because there have been no data breaches.

    @ Steve

    If you can’t manage your business in a competent way (that ensures your customers’ data is not stolen), then, frankly, I’d be delighted if you stopped doing business in Europe. Or anywhere else, come to that.

  8. @ Ben — The fine should ba about 10x higher. Facebook should be bankrupted for their sale of everyone’s data to slimy corporations.

  9. These figures are what finally makes the CEO sweat when a major breech happens. They didn’t care when the fines were 1 or 2 million because their salaries could cover that alone. Now that it’s actually a figure they can relate to, they’ll be looking into strengthening their IT systems for sure. The fact that BA and Marriott both were not even expecting such fines just shows the level of ignorance these companies have

  10. Sorry but 99 million pounds ($123 million) is nothing. That’s about 6% of Marriot’s annual profit. These companies should face fines in the billions of dollars for breaches like this.

  11. I tend to agree with several others that this is completely and absolutely justified. Not over the top at all. Corporations are quick to seize monetary opportunities, yet won’t take the time to do it with responsibility or hold themselves accountable lest their greed be exposed. Marriott is no different. Accountability is sorely lacking in the US and elsewhere. Yeah, as a consumer, I absolutely expect corporations taking my money to treat my information with the same reverence with which they took my money.

  12. I agree with Lucky’s last statement about companies re-thinking their EU strategy if fines like this continue to escalate. I know lots of people love hating on big corporations and all of their greed. It gets lost that these companies employ a lot of people and provide services that customers willingly pay for. If you hate Marriott dont stay there. If you hate AA dont fly them

    Lastly if these fines become a common place the companies will adjust by raising prices in those areas. How does this help the consumer?

  13. The EU is the second largest economy in the world. No one will rethink their EU strategy… not google, not FB, definitely not Marriott. Meanwhile, these fines could definitely be higher. Right now, they look like the cost of doing business in the EU….

  14. @ Tom I
    “Lastly if these fines become a common place the companies will adjust by raising prices in those areas.”

    That’s exactly what the legislation is not intended to do — and it’s why the fine is so high. Big companies can easily write-off tens or hundreds of thousands. But most Boards of Directors will have a minimum figure above which all fines must be reported.

    And, as per BA, a fine that’s about 10% of next year’s total expected profit will make any Board take notice. And the BA fine could have been as high as 25% or more of profit. Companies will take notice of fines of that order of magnitude, and they will take action to avoid exposure.

    And isn’t that actually what any sane person would want: corporations looking after our personal data?

  15. Without the massive fines the breeches will only get worse. These companies need to be held accountable.

  16. 1. These fines are too low. Another zero would be about right.

    2. If a company does not cooperate, any fines should be doubled.

    3. All monies should go to those affected.

  17. As one who’s had personal information stolen from T-Mobile, the US Office of Personnel Management, and Marriott, I cannot think of any fine that is too high.

    On a calmer note, I don’t want to bankrupt any of these organizations, however the fines should be enough of a sting (to the point that the stock price/stock shareholders feel it) that these companies take very seriously their security obligations.

  18. My company was fined $1 Billion (with a B) for some misconduct. We paid our dues and moved on.

  19. ‘Without the massive fines the breeches will only get worse…’ Why are companies being fined for having disreputable trousers? Are their civil rights being breached?

  20. Good fine but the money or at least part of it should go to the victims. My data was stolen and I get nothing.

  21. God people get real! I’ve been in iT 39 years (now retired) and am a former CIO of 2 different national companies. These fines are crazy. Why is everyone such a privacy zealot when data on EVERYONE is widely available (whether you like it or not). Costs of all business are ultimately paid by the consumer so all this does is drive up prices across the board. Hope you are happy now. SMH!!!

  22. Not surprising. I’ve worked with several organizations like these guys. They are big, make billions, involve a lot of customers. But they all share the same thing in common. They do not ever take anything IT related seriously. Its just serious enough for marketing and provide lip service that they care about you. And for most non technical CEOs thats about all they know. But they really don’t care and it’s falls into 2 reasons. One, it’s really expensive to hire good IT folks. I’m not talking about cheap offshore folks because they are not remotely close to competent and will provide the same level of protection to you as a piece of gum is protection to locking your house front door. Second reason (and I can’t blame the company for this) is that there is a lack of staff with that level of knowledge. And it’s not just a lack of security IT which is severely in short supply but good project managers are also short in supply to drive those projects and make those priorities. The uber geek might be a genius but they can’t drive projects. You often end up with companies with the attitude “ok that’s good enough, nobody knows our flaws anyway” but I guarantee there are very few companies out there that can actually provide that level of security and protection. We’ve seen this at Starbucks who had clear text in their mobile app for over a year even though 3rd parties told them so, we’ve seen this with Target and just about every other retailer out there. They can’t/won’t spend that much on labor even if it exists which it doesn’t. Thats why competent IT folks like myself are often working 70 hours/week doing 2 jobs and fixing the mess outsourced vendors screw up. We get to the point where we also are just trying to get stuff done but not have the time to spend extra weeks on making things better. Now maybe if some more of these upper execs are sent to prison will companies cut the bonus and pay of the upper echelon and spend it on IT training. I honestly believe that companies can train their less technical folks to do much of the onerous duties that developers have to do then the developers can focus on security and everybody benefits…except for the clueless VPs who just sit around making deals and use their laptops as clocks.

  23. @AC I’m glad you are no longer a CIO, because you are part of the problem! The data is not widely available. Not only give up my passport number, but my travel patterns and associated information. I’ve been a CISO for 26 years and you are an ill informed dinosaur!

  24. I second the request for telling us what hotel is in the picture here – and I’ll add my general comment that when a travel site, or blog, or Facebook post puts up a well chosen awesome picture of somewhere, they just ought to supply the location automatically unless there’s a specific reason not to (UrbEx comes to mind)! Thanks 🙂

  25. Cost vs benefit. The Marriotts of the world will tolerate breaches and pay the fines until it is in their interest to do otherwise.

  26. Fantastic news. These fines are (correctly) set at a punitive level that should hopefully force other companies to pay more attention to protecting user data. They aren’t to do with individual customer loss as the money isn’t going to them.

  27. Although unfortunate, this is the only thing that will get them to take data privacy seriously. All the regret in the world won’t lead them to spend a dime or a thought on data privacy, but big fines will.

  28. @AC, which companies did you work for? Want to make sure I don’t do any business with them. You are a good example why corporations are least interested in securing. If you to store my personal information without giving me an option to opt out, then least you can do is to try your best in securing it. A 100% hack proof system does not exist, but that does not mean companies should be careless about security.

  29. @Ben and team, when you post pictures under the heading banner can you please add a line specifying the property, location or product? Although guessing is sometimes fun. Haha

  30. Reality is this is the way to make these companies take notice. Ideally, yes, the fines would be distributed to affected parties, although that is compensation, which is a different thing.
    I simply can’t believe that people on here and other sites, argue that these fines are too high. These were not regulations that were imposed without notice, or where the consequences of failure to comply were unknown. There was a significant lead in period. If neither Marriot nor BA felt it was serious enough then thats their decision, but now they have to deal with the consequences. There seems to be little debate as to the validity of the actions they (failed to) take, the argument is merely the size of the penalty. Well you knew what that could be. It’s no use whining now you’ve been caught.

  31. Maybe we should consider to start a case against Marriott for this data breach, only for (Marriott) Bonvoy members that received a confirmation that there personal
    data was effected in this breach.
    So we can get the compensation we deserve and Marriott is not giving to us. The disrespect from Marriott to us is unacceptable…

  32. Another way for broke countries to gouge money from the producers. As you said no money goes to the victims.

Leave a Reply

Your email address will not be published. Required fields are marked *