back to article Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for four years

Your name, address, phone number, email address, passport number, date of birth, and sex are worth just £0.05 in the eyes of the UK Information Commissioner's Office, which has fined Marriott £18.4m after 339 million people's data was stolen from the hotel chain. The fine was imposed as a regulatory punishment for the 2018 …

  1. NeilPost Silver badge

    Bafflingly Shameful

    As bafflingly shameful as BA’s ‘get away near Scott-free’ knuckle rap.

    The ICO Chair should Fucking resign in shame.

    Simple solution - as with BA - take the £18m as a down payment on an instalment plan tied to the companies recovery. No boardroom bonuses until paid off.

    Simple, fair, proportionate and helps out with short-term cash flow/revenue issues. 5-10 year payment plan please.

    BA and Marriott must be pissing themselves in glee at this. It’s disgusting - esp.. In light of BA’s casual disregard of the law on refunds and employment practices too.

    Habitual offenders have been rewarded with the equivalent of a misdemeanour punishment.

    1. stiine Silver badge

      Re: Bafflingly Shameful

      And garnish all executive bonuses (including signing bonuses) until the sum is paid in full.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bafflingly Shameful

      "As bafflingly shameful as BA’s ‘get away near Scott-free’ knuckle rap."

      Unpopular opinion - I think Marriott have been punished harshly for this.

      The only Marriott business decision that lead to this disclosure was purchasing Starwood Group, and once discovered, they handled the disclosures in a responsible way helping customers where possible. From my understanding of this case from following it over the years, at every step of the way they have tried to do the right thing for those affected by past decisions, aside from admitting legal responsibility which I assume is for legal purposes in various jurisdictions. Unless I've missed something, they have ticked all of the boxes that they could other than discovering the breaches pre-acquisition. From an IT/Security/risk management perspective, Marriott employees that did not work for the Starwood Group likely did everything possible to comply with data security requirements.

      What would have happened if Starwood Group hadn't been acquired? It would have been a much smaller company so the fines would have likely been much less given Marriott Group was around 10x the size of Starwood Group.

      If we punish companies heavily for making the right decisions, why should we expect them to keep making the right decisions? Marriott would have been better off doing the minimum and spend the money fighting to reduce the size of the fine....

  2. alain williams Silver badge

    To stop it happening again ...

    which should be one of the ICO's aims, should they not have insisted that Marriott be audited by an independent White Hat type organisation for 10 years ? Hopefully the WH types would kick up a fuss at poor/sloppy practice and make them fix it.

    I do not know if the ICO has the power to order this, if not then time to get a quick bill through parliament.

    1. Mike 137 Silver badge

      Re: To stop it happening again ...

      As long ago as 2009 I suggested to the then deputy information commissioner that fines should be replaced by enforced specific remediation and fulfilment audit at the expense of the subject of the action. His response was that they couldn't contemplate affording that as their revenues were insufficient.

      The ICO's funds still are insufficient, primarily because it's in a bind. It can't be funded by government as there would be a conflict of interest if it had to action a government data breach; it can't be funded by fines as there might be suspicion of malpractice in aid of revenue. The existing model is a registrant fee based on scale of organisation, and it clearly yields insufficient funding. Our annual fee is a mere £40 and that's probably the fee the majority of companies pay. I'd be quite content to see it doubled or trebled, which would make a big difference to the ability of the ICO to take on duties that actually prevent data breaches, quite apart from supporting its other workload. The last time I enquired the ICO was so overloaded that it took several months just for a complaint to be allocated a case officer.

      I strongly suspect that for the same reasons the downward negotiation of fines is a trade off between the cost of litigation and the effect of the penalties. A typical business will spend many time more on a legal challenge than they save as a result of its success, as what matters is "reputation". The ICO can't afford to do that, but has to cut its losses much sooner as appeal litigation runs to millions.

      1. NeilPost Silver badge

        Re: To stop it happening again ...

        How are other regulators like Ofcom, Ofwat, Ofgen, Financial Ombudsman/FCA/Payment Regulator, CQC/Monitor, Charities commission, CAA, Nuclear Regulator, Ofsted, EHRC, ASA, IPCC, etc... funded ??

        Perhaps the banks would like to contribute a sliver of funding ... as often it’s their card data pilfered?

        If not out of general taxation.

        1. Mage

          Re: To stop it happening again ...

          Ofcom may be funded by Mobile Licence fees. Comreg is. Guess how much they care about anything other than Interference to Mobile Bands, or consumers or non-Mobile Spectrum users?

        2. Anonymous Coward

          Re: To stop it happening again ...

          Perhaps the banks would like to contribute a sliver of funding ... as often it’s their card data pilfered?

          The ICO is already paid for by a sliver of funding from all data controllers.

          "The ICO is primarily funded by organisations paying the data protection fee, which accounts for around 85% to 90% of the ICO’s annual budget.... From 1 April 2019 to 31 March 2020, the ICO projects that it will collect roughly £46,560,000 through the data protection fee."

          So whilst it's not a big drain on the public purse, it's a bigger drain on the public's purse.

          Nevertheless your suggestion has legs because I imagine almost all the ICO's money comes from a prodigious number of SMEs who pay £40 or £60 each per year rather than a tiny number of multi-billion pound turnover multinationals who cough up a microscopic (for them) £2,900.

          The relevant tax* structure is here.

          * It's a tax, not a fee, because there is no quid pro quo, which is needed for a fee but absent for a tax.

      2. Blazde

        Re: To stop it happening again ...

        Right, the taxpayer can't fund them because of conflict of interest investigating government departments, yet their own fine surplus of several million/year goes to 'Consolidated Fund' aka The Treasury. I'm not sure that's totally logical.

        I was going to suggest they get to keep a fixed value of the fine revenue, given the assumption they are going to be issuing at least some fines annually for the foreseeable future but it seems changes like that are being looked at, and they have received a small (£0.6m) government grant for litigation costs in the last financial year, as well as various other specific grants for setup costs earlier.

    2. stiine Silver badge

      Re: To stop it happening again ...

      Agreed, but not any company that has audited them since 2004...

  3. AW-S

    An upside to COVID

    "with the COVID-19 pandemic scoring it a further £4m discount".

    At last their shareholders get an upside from COVID. Shameful.

  4. Anonymous Coward

    COVID discount?

    So China unleashed hell on the world, and because of that some rich hotel chain gets a £4M discount on its punishment?

    Can someone please explain what the connection is between these two things?

    1. sabroni Silver badge

      Re: So China unleashed hell on the world

      Because if it'd manifested anywhere else it wouldn't have been spread around the world by humans?

      I think your bigotry is showing......

      1. Anonymous Coward
        Anonymous Coward

        Re: So China unleashed hell on the world

        It "manifested" (cute word - I think you mean it spread to humans) because of Chinese cultural preferences.

    2. Anonymous Coward
      Anonymous Coward

      Re: Can someone please explain what the connection is between these two things?

      It's more socialism for the Rich. When they get a fine, if they're having a hard time paying it, it's reduced.

      Try that next time you get nicked for speeding whilst poor.

      1. SGJ

        Re: Can someone please explain what the connection is between these two things?

        Fixed penalty offences are, as the name suggests, fixed so pleading poverty won't get you a reduced penalty if you break the speed limit. However, financial circumstances are taken into account with fines. The Sentencing Council guidelines say:

        "The amount of a fine must reflect the seriousness of the offence (Criminal Justice Act (“CJA”) 2003, s.164(2).

        The court must also take into account the financial circumstances of the offender; this applies whether it has the effect of increasing or reducing the fine (CJA 2003, ss.164(3) and 164(4))."

        The maximum penalty notice (not fine) the ICO may issue is linked to a companies global turnover and, since Covid-19 will have affected Marriot's turnover, the penalty notice takes this into account. The ICO has updated it's Regulatory Action Policy to take account of Covid-19 and this now includes

        "As set out in the Regulatory Action Policy, before issuing fines we consider the economic impact and affordability. In current circumstances, this is likely to continue to mean the level of fineswill be reduced."

    3. St Deiniol

      Re: COVID discount?

      FYI there seems to be little or no evidence that C19 came from China. Retrospective tests have shown that at least one person died in France of C19 weeks before it was 'discovered' in China.

      1. Anonymous Coward
        Anonymous Coward

        Re: COVID discount?

        Link please. And not youtube.

        1. Anonymous Coward
          Anonymous Coward

          Re: COVID discount?


          The link you requested. For what it is worth, there was also a death in England in December. But I, stupidly, did not bookmark it.

          Cheers… Ishy.

          1. Anonymous Coward
            Anonymous Coward

            Re: COVID discount?

            Hmm. An undated article, about 1 patient, with samples stored for some time, and the source didn't want to comment. Okaaaaaay.

  5. 0laf

    A lot of this comes down to the ICO not having a big enough legal budget. Basically it can't afford to take on these big multinationals so it gives in when they says "how much to make this go away". Remember the ICO doesn't get to keep these fines they go to the Treasury.

    Really the ICO should be able to hang onto some of this money to add to its legal fund to makes sure it is not in the same position next time of being unable to defend its own decisions.

  6. Anonymous Coward
    Anonymous Coward

    If the fine is 0.05/record, wouldn't it make financial sense to just sell all the records that you have on the black market? I'm pretty sure you can get a lot more than that for passport details, no?

    1. Roland6 Silver badge

      Interestingly, the ruoured £99M fine, only values the individual records at £0.25...

    2. Alumoi Silver badge

      Damn it, I told you NEVER disclose out business plan.

  7. Claverhouse Silver badge

    "remains committed to the privacy and security of its guests' information"


    1. oiseau

      Re: "remains committed to the privacy and security of its guests' information"

      This has been happening in too many places for too long, unfortunately with no remedy or end in sight.

      For years people's vital data has been getting continuously stolen from those in charge of their security, ending up in the usual places.

      I have been, for the longest while, convinced that no one is really stealing anything.

      The data is getting sold in huge chunks to the usual clients and the sellers have in turn factored the "fine" into their price.

      Your name, address, phone number, email address, passport number, date of birth, and sex may be worth just £0.05 in the eyes of the UK Information Commissioner's Office but for the miscreants in the data traffic business it is priceless cash cow as they can sell it many times over.

      The only way to stop this is making it hurt, in the most ruthless manner.

      Be sure once it is put in place it will not ever happen again.

      You lost my data because you did not protect it properly?

      Right then: it's £10 a pop for the first time and £100 if it happens again, with the members of the board financially responsible with their own assets for the fine.

      A sad state of affairs.


  8. gargantua


    Governance seems to still be such a mess with personal information. In the US, we are seeing a lot of redundant privacy-oriented legislation in localities and States, written mostly to serve the career of its author. Standard Information Security Audits of companies that warehouse or process large amounts of PID, like Marriott, should be clearly defined and mandated.

  9. sanmigueelbeer
    Thumb Down

    Money talks -- BS walks

    Marriott deeply regrets the incident remains committed to the privacy and security of its guests.

    HAHAHAHAHAHA ... £0.05 per person, of course you do. *wink*, *wink*, *jab*, *jab*

    (I'm looking at the calendar right now and I thought it was 01 April ... but it is not.)

  10. Anonymous Coward
    Anonymous Coward

    UK watchdog's mooted £99m penalty comes in at just £18.4m

    GREAT news for BIG BUSINESS who think they might find themselves in similar predicament. Fear not! It's only the shitty no-name scumbags that get sent packing. Your Valuable Brand shall save your incompetence / cost optimization "slip"!

  11. Anonymous Coward
    Anonymous Coward

    Fines that are based on percentage of income

    Are supposed to be just that, in order to hurt companies no matter what their size but without killing them.

    Why isn't that being applied now?

  12. Robert Grant

    Although the attack was originally thought to have exposed half a billion records in the chain's guest reservation database, later investigations revised that figure downwards.

    Almost makes it worth announcing a huge breach, get a low per-person-breached fine amount, and then revising the breach numbers down.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like