Marriott settles for a piddly $52M after series of breaches affecting millions Marriott has agreed to pay a $52 million penalty and develop a comprehensive infosec program following a series of major data breaches between 2014 and 2020 that affected more than 344 million people worldwide. This comes as a result of two settlements announced today: one involving a coalition of 49 state attorneys general …
With a possible piddly fine if they get it wrong.
Oh my, such a deterrent, this will truly improve security across the industry and concentrate the minds of executives who have faced : exactly what censure other than precisely nothing?
I'd say it's unbelievable, but sadly it's all too predictable, especially in the US
I discovered, on accident, that they avoided company wide PCI DSS compliance for years. Until well after the merger, credit cards didn’t go through corporate, the individual hotels or operators did it independently.
This means the volume of transactions almost never crossed the threshold where an independent QSA (auditor) would be required to examine controls.
Anyone have any idea what we can do instead of slinging fines at these offenders?
Generally the huge corporations that end up with these fines, either don't pay initial amount, or the amount is so small to the entity that it resembles no deterrent at all.
Seriously need to find another way to address this, a method or methods that will gain traction in actually getting these entities to harden their security posture, so Joe public isn't at risk.
Also, why does it appear that the fines are never used as restitution for the people actually impacted?
Jail time. 1 day per data subject breached, with a minimum of 6 months for everyone in the C-suite. Including those who were in the employ of the company during the breach as well as those currently employed. Where the remaining number of data subjects extends beyond the C-suite lifespan, convert each data subject breach to $1 (£ whatever) and additionally on top of jail time.
Real punishment should focus minds on the task, and force employment of competent staff and audits. The minimum to simply tick the boxes each year is not good enough, proven time and again.
Get paid the big wage, accept the big risk.
"Anyone have any idea what we can do instead of slinging fines at these offenders?"
Yes, hit them where it hurts and they can't just hide it away as "other operating costs". And doing so is simple, a regulator suspends them from contracting new business for a period. So in the case of a hotel chain, they can honour existing booking but not take new ones. This doesn't have to be for more than a few days. This has been successfully done in the UK on one or two occasions, unfortunately in the case I'm familiar with the regulator concerned (Ofgem) weren't clever enough to realise how this was vastly more effective than just doling out fines.
When a company has it's hand tied on new business, it means all the advertising it has already contracted doesn't drive new sales, it means the entire sales (and potentially marketing) departments have to sit around twiddling their thumbs with managers either telling staff to amuse themselves, or inventing make-work. The top line suffers, there's few savings, so the impact is on the sort of thing like revenue growth and profitability that is invariably linked to exec bonuses. And the company has to front up to its own employees that it has messed up, and explain to intending customers why they can't book, place orders, or sign new contracts.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
