back to article Marriott's got 99 million problems and the ICO's one: Starwood hack mega-fine looms over

The UK's Information Commissioner's Office wants to fine Marriott Hotels £99m over its loss of 383 million customer booking records last year. The almost-but-not-quite-£100m sum (£99,200,396) was disclosed in a US regulatory filing by Marriott, which said: "Marriott has the right to respond before any final determination is …

  1. Doctor Syntax Silver badge

    A bit of honesty

    We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott clearly we failed so we think the punishment is appropriate.

    Wouldn't that actually be more encouraging to potential customers than the transparently untrue garbage? Contrition is more convincing than bluster.

    1. Borg.King
      Alert

      Re: A bit of honesty

      clearly we failed so we think the punishment is appropriate

      An admission of guilt opens up a plethora of routes to losing court battles for compensation.

      1. Doctor Syntax Silver badge

        Re: A bit of honesty

        The routes are there anyway as there seems to be no dispute it happened. A better attitude might actually lessen the potential for punitive damages.

    2. theblackhand

      Re: A bit of honesty

      "Wouldn't that actually be more encouraging to potential customers than the transparently untrue garbage? Contrition is more convincing than bluster."

      Normally I would agree however given that this problem was acquired rather than being of Marriot's making AND they appear to have been open and honest about it and cleaning it up, I think they have been contrite.

      1. Doctor Syntax Silver badge

        Re: A bit of honesty

        "I think they have been contrite."

        Not when they propose challenging the decision.

        1. theblackhand

          Re: A bit of honesty

          Marriott have put aside upto £100m for the fine - while they're challenging the decision is this a case of not accepting the legal liability, accepting the fine and challenging the amount? Or not accepting they should be fined, because I don't

          From previous accounts, Marriott appeared to have a robust internal data security policy given their ability to detect an intrusion and publicly disclosed what happened and have fully co-operated with the investigation. The challenge was in discovering just how broken Starwoods data security systems were prior to the acquisition and then subsequently during the integration of the companies.

        2. ocflyfish

          Re: A bit of honesty

          "Not when they propose challenging the decision."

          They have an obligation to their shareholders to fight this ridiculous fine and not simply roll over.

          I wonder how many of you would be singing a different song if it was the state of California suing an UK company, based upon a California law, and demanding outrageous fines that would simply go into the Sacramento coffers? Something to consider...

  2. Anonymous Coward
    Anonymous Coward

    Just the cost of doing business

    As usual. £99m is totally inconsequential. How about a nice round £1000 for each British citizen whose data they failed to secure? At the very least, the fine should be significantly more than it would have cost to implement proper security, train staff, and generally get serious about protecting their customers. Otherwise why would any rational corporation do the latter?

    1. Joe W Silver badge

      Re: Just the cost of doing business

      Why just "British citizens"? I guess there could be a bunch of tourists staying in Britain as well - plus the ICO's investigation was "on behalf of the EU states". And the data breach was not limited to a certain country, with Pompeo twittering about it...

      But I do agree that these fines should hurt. A lot.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just the cost of doing business

        There are three plausible jurisdictional theories that can be employed here:

        1. The offense occurred wherever the corporation is headquartered, in this case the USA. Since the ICO is involved, I surmise this is not the theory being employed in this instance.

        2. The offense occurred wherever the data was being stored, almost certainly also the USA.

        3. The offense occurred wherever someone lives (or is a citizen) whose data was not properly protected.

        I'm assuming that the basis for UK jurisdiction here is theory (3), in which case I fail to understand how the ICO can properly punish a USA corporation for failing to protect the data of (for example) USA citizens stored in the USA. We rightly raise hell when the USA government tries to assert global jurisdiction, and I fail to see any real distinction here. That for example California has not fined them billions of dollars as well is a mystery to me as it certainly seems that they would have the power to do so under the same jurisdictional theory, and for entirely separate offenses from those committed against citizens of EU member states.

        That said, I do amend my claim to include all citizens of EU member states, since the ICO was acting in that context. Either way, it should be well into double digit billions of whatever currency unit we're discussing.

        1. tfewster Silver badge
          Trollface

          Re: Just the cost of doing business

          The basis is EU GDPR law. If you're doing business in the EU, you have to comply. The (British) ICO is taking this up on behalf of the EU, though I'm curious about where the fine goes to. $4 per head doesn't go far in covering individuals against ID theft, but presumably the ruling makes it easier for customers to make their claims for actual losses.

          I don't know California law, but they're welcome to prosecute as well if they don't feel the company has been punished sufficiently.

          I can see a fun future where countries race to get their prosecutions in "on behalf of the world" ;-)

          1. Cuddles Silver badge

            Re: Just the cost of doing business

            "The (British) ICO is taking this up on behalf of the EU, though I'm curious about where the fine goes to."

            Presumably similar to the breakdown from the BA fine:

            https://www.bbc.co.uk/news/business-48905907

            "The penalty is divided up between the other European data authorities, while the money that comes to the ICO goes directly to the Treasury."

            I haven't seen any information on exactly how the split between countries is decided. Presumably it's on a case-by-case basis depending on how many people were affected in different places.

        2. Wellyboot Silver badge

          Re: Just the cost of doing business

          Marriott Isn't just a single company, like all multinationals they have hundreds of separate legal entities spread across all the countries they do business in. (mainly to firewall liability)

          This one is well within the ICOs remit

          Marriott Hotel Limited - Registered office address - 4th Floor, 45 Monmouth Street, London, England, WC2H 9DG

          As an EU based company they're nailed for not looking after EU citizens data and the ruling will be enforced across the entire EU. I doubt we'll see any attempts to fine companies that have no EU representation even if that is technically covered by the legislation but it could be interesting to see what happens if a foreign company that has suffered a breach later opens a EU operation.

          In the near future I expect there to be many more hugh GDPR fines for all manner of companies as the regulators across Europe bring completed investigations to the party.

          Personally, I think that as the Marriott breach lasted years, the fine should be per-annum.

          1. Doctor Syntax Silver badge

            Re: Just the cost of doing business

            "As an EU based company they're nailed for not looking after EU citizens data"

            The fact that they're an EU company doesn't affect the issue although it would make non-payment a bit easier to deal with. Nor does their being multiple entities which don't, in this case, firewall legal

            liabilities. The salient fact is that EU residents' data was involved.

        3. doublelayer Silver badge

          Re: Just the cost of doing business

          If you're referring to the California Consumer Privacy Act, that doesn't take effect until 2020, so California can't impose any penalties based on that law for this breach. By 2020, I'm sure the various amendments proposed by the many definitely consumer-oriented organizations founded just after the CCPA was passed because some consumers in Mountainview and Menlo Park were just that interested will have been installed in the law and it won't have any effect then either.

        4. Doctor Syntax Silver badge

          Re: Just the cost of doing business

          "I fail to understand how the ICO can properly punish a USA corporation for failing to protect the data of (for example) USA citizens stored in the USA"

          It can't. As far as the ICO or any EU regulator is concerned it can lose millions of US citizens' data every day of the week providing none of them are EU residents. That's the criterion: EU residence.

  3. Dvon of Edzore

    Collateral damage in the Cyberwar

    So the company is targeted by a State-sponsored entity in a cyberwar skirmish between superpowers, and yet it is supposed to fall on its sword for being the victim? Perhaps you will pay all your neighbors when your house is burglarized because you made their insurance rates go up?

    1. Anonymous Coward
      Anonymous Coward

      Re: Collateral damage in the Cyberwar

      If your house is burgled because you left all the doors and windows wide open and put up a sign reading "on holiday for 6 weeks", that wouldn't be unfair.

      State actors have created absurd advantages for themselves over anyone else when it comes to physical, mechanical warfare. The same is not true when we're talking about data security. A clever individual or a corporation with the kind of resources that Marriott International has can defeat this kind of threat, and I would argue is obligated to make every reasonable attempt to do so.

      It's one thing for China to employ sleepers who take IT security jobs with a foreign target corporation, corrupt their auditing software, and send their customers' data back to the PLA. That's difficult (though not entirely impossible) to defend against, but it's also very risky for China: phrases like "international incident" and "act of war" get thrown about, as well as a fairly automatic espionage conviction. It's another thing entirely to simply not bother training staff, employing industry best practices, or really making any kind of effort at all to prevent unauthorised remote access, which is how 99%+ of all these breaches occur. If you want to argue that you couldn't possibly have prevented the breach because it was orchestrated by a state actor, you should have to prove that your countermeasures were strong enough that only a state actor could have pulled it off. Good luck with that.

    2. IGotOut Silver badge

      Re: Collateral damage in the Cyberwar

      I wish I could down vote you more than once.

      1. They were in their systems for 4 years.

      2. The details were unencrypted

      3. "burglarized" that itself deserves a dozen downvotes on it's own.

      1. doublelayer Silver badge

        Re: Collateral damage in the Cyberwar

        There's a clear difference between you getting burgled and a company having customer data stolen from them. I'll lay it out for you:

        You get burgled: your stuff is gone. At the very least, you have to go through the insurance claims process and purchase new possessions. Usually, you're out quite a bit of value.

        Company has information stolen: Customers have to worry about account compromises and identity theft. Without laws like these, the worst the company itself has to deal with is the risk that people might try to avoid their hotels. Given that this is not a market with an infinite number of participants, that isn't a major risk.

        There's the difference. When the negative event only harms you, we don't penalize you for the consequences. When it does, we can look into whether you were at fault. That doesn't mean that you or the company in this case is at fault for the whole thing, and their sentence isn't of the kind you'd get for actually performing that breach, but it is a perfect case for laws against negligence leading to harm, and data protection law better formalizes that in the specific case of data loss. I hope the ICO takes this into account, as a breach can happen to anyone no matter how much security they've done, but I don't see any evidence that they have not.

    3. Doctor Syntax Silver badge

      Re: Collateral damage in the Cyberwar

      "it is supposed to fall on its sword for being the victim?"

      You have a bank account containing a thousand of your local currency units. The bank is robbed and can no longer return your deposit. But I take it you don't care because it was the bank that was robbed, not you.

  4. ShortLegs

    Regardless, at least the ICO is starting to impose fines than DO appear on the balance sheet as tangible numbers, not the piddling £10,000 £250,000 fines of the last decade or so, that were nothing more than rounding errors.

    And, frankly, Marriot's response is leagues ahead of BA's in terms of admission. BA's was nothing more than and indignant 'harrumpf' and a plaintive "we are unaware of any loss to anyone [so why should we be fined]" bleat.

  5. sanmigueelbeer Silver badge
    Pint

    The UK's Information Commissioner's Office wants to fine Marriott Hotels £99m over its loss of 383 million customer booking records last year.

    Let's not kid ourselves: How much fine was handed out is completely disproportion to how much was COLLECTED.

    1. Cynical Pie

      Well given that GDPR/DPA 2018 makes Directors/CEOs personally liable (depending upon the circumstances) I'd wager the amount collected will be a far higher percentage than previously

    2. Doctor Syntax Silver badge

      The fines are based on several criteria according to the GDPR and ICO policy. Firstly the GDPR lays out maximum fines. Secondly the ICO makes a decision based not only on the nature of the event but also on the approach of the offender. A non-cooperative business is going to see much bigger fines. It appears that Marriott were cooperative but their self-serving statement and intention to challenge the fine leads me to think that top management have not learned their lesson and the fine should be bigger and if I were a potential customer I'd maybe look elsewhere.

      1. John Brown (no body) Silver badge

        On the other hand, I can where Marriot and their lawyers are coming from. This is all new legal territory and they want to challenge it to reduce the fine because they think their reading of the law is different to that of the ICO. Whatever the outcome, it creates precedent and case law. It may be that the ICO have misinterpreted the law and scale of the penalty. It might end up being higher.

  6. eldakka Silver badge

    You want to publish your contact details around the world?

    Thinking of publishing them using Facebook? Twitter? White/yellow pages?

    No!

    Just book a stay with a Marriott hotel, and we'll take care of distributing your contact details around the world for no extra charge!

  7. steviebuk Silver badge

    Pullman London St Pancras

    They need to check that hotel next. Jan or Feb 2018 its security was shockingly shit. They weren't even isolating the WIFI network. They attempted to fix some of the issues while I was there when I reported it. But how long it had been insecure is anyone's guess. And unless they've sorted it since I suspect they probably have other issues.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021