
Intention to fine Marriott more than £99M under GDPR for data breach - snowwolf
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/
======
Benjamin_Dobell
Admittedly, I don't know the specifics e.g. if there was _obvious_ negligence.
However, this seems like a _major_ fine for a security vulnerability. The
statement given in the article is:

> _Personal data has a real value so organisations have a legal duty to ensure
> its security, just like they would do with any other asset. If that doesn’t
> happen, we will not hesitate to take strong action when necessary to protect
> the rights of the public_

Certainly, calling out poor security practices is a good thing, however this
level of scrutiny is going to require a major shift in mentality for a large
portion of the industry. "Move fast and break things" just isn't going to cut
it anymore.

~~~
mc32
>”Move fast and break things" just isn't going to cut it anymore.”

That motivational quote should never have made it out into corporate
communication. It was embraced by everyone[1] because it seemed edgy and hey
that company is successful in spite of itself.

That should never have been embraced by anyone especially outside specific
contexts.

[1]Just about everyone embraced it because it was a kind of punk attitude in
the face of stodgy enterprise development schedules. Everyone wanted to seem
cool, so they went whole hog.

~~~
filoleg
I agree with you on that for heavy majority of companies (esp. medical or
self-driving car ones) "move fast and break things" is not a good idea at all.
However, I cannot agree with the absolutist nature of your statement.

>that company is successful in spite of itself

That's a pretty strong opinion. Some would argue that FB is successful because
of stuff like that.

A bit of a sidenote, but after all, I remember how badly Zuck was clowned
everywhere (including by FB shareholders and people here on HN) immediately
after the purchase of Instagram and WhatsApp. People were saying that FB is
dying and Zuck is trying to buy companies that are hyped but irrelevant to the
core business out of desperation. These days, it is a pretty universal
sentiment that those acquisitions were some of the smartest purchase decisions
he could have made at the time.

~~~
denzil_correa
> A bit of a sidenote, but after all, I remember how badly Zuck was clowned
> everywhere (including by FB shareholders and people here on HN) immediately
> after the purchase of Instagram and WhatsApp. People were saying that FB is
> dying and Zuck is trying to buy companies that are hyped but irrelevant to
> the core business out of desperation.

Most of HN didn't have some insider information which Facebook did. This
information was acquired by surreptitious data logging of a VPN "security" app
[0]. This is the same app which was controversially packaged as a "research"
app and then forced to take down from the App store [1].

[0] [https://www.wsj.com/articles/facebooks-onavo-gives-social-
me...](https://www.wsj.com/articles/facebooks-onavo-gives-social-media-firm-
inside-peek-at-rivals-users-1502622003)

[1] [https://www.theverge.com/2018/8/22/17771298/facebook-
onavo-p...](https://www.theverge.com/2018/8/22/17771298/facebook-onavo-
protect-apple-app-store-pulled-privacy-concerns)

------
gcthomas
A £99 million fine is on its way for Marriott after their 2018 breach of 30
million EU citizen guest records, for lack of due diligence over data
security.

Those who said EU regulations had no teeth last year might need to readjust
their expectations. This follows on from BA's large fine a few days ago.

~~~
gnode
I think the accusation that the GDPR has no teeth is not about the magnitude
of fines. The GDPR promised great enhancements to privacy and freedom in the
text of the legislation (opt-in data processing consent not conditional on
service; right to data erasure; data portability). In practise, enforcement
has been focused on punishing poor security, rather than lack of privacy or
freedom.

~~~
simias
That's fair, although even if they still only focus on breaches I think it
might improve privacy indirectly: the database that's hardest to hack is the
one that doesn't exist. If companies get in the mindset that storing client
data is a big liability they might decide that archiving everything and
anything forever might not be such a clever decision after all.

~~~
amputect
This is, as I understand it, the goal. I mentioned this in a different
comment, but getting companies to think of unsecured consumer data as a
liability is absolutely key to getting them to take privacy seriously.
Companies need to consciously decide if the risk of accruing this data is
worth the downside. Pre-gdpr there was functionally no downside at all.

------
ggcdn
The move towards increased regulation of software engineering, especially with
regards to security, makes me wonder if we will see state/provincial/national
engineering regulatory authorities move in on the field.

You can't, for instance, call yourself a structural engineer unless you are
registered with the regulatory authority as such. Nor can you offer
engineering services to the public without registration. And you are bound by
a code of ethics, subject to a formal complaint process, undergo somewhat
regular practice reviews, and can face disciplinary actions when you fail to
comply.

Right now, it seems like software engineering is the wild west, complete with
tales of fortune to be had attracting code-slingin' cowboys without regard for
the public's safety. I predict the lawman is coming for you.

~~~
Nasrudith
I worry that said lawmen are going to be more bueracratic and even less
safety. Moving slowly isn't going to cut it unlike structural engineering. The
metaphor breaks down because the architect isn't responsible if people use
sound dampered sledge hammers and saws in the middle of the night on vital
support beams. The software engineer is.

Especially given the origin cultures of regulators think that just banning
Cryptography is a remotely reasonable idea instead of barking mad.

Standards may make some sense but they should be deliberately open ended like
"encrypt customer data sufficiently or don't gather it" not "use single DES to
encrypt - if you use large key RSA you will be in deep shit in spite of it
being better".

~~~
marcus_holmes
yeah, it's going to be an interesting argument between the bits of government
that want to read your mail, and the bits of government that want to ensure
that you protect your customers' mail from being read.

~~~
noobiemcfoob
One of those seems a lot more powerful than the other...

------
bostik
This has far more potentially far-reaching connotations than the BA fine.

Yes, Marriot failed to conduct proper due diligence. Yes, they should have
been able to detect the breach earlier and block the attackers' access. And
yes, the attackers managed to stay in their system for a very, very long time.

But this breach was conducted by a _nation state adversary_. An attacker with
unlimited resources and the best technical knowledge on the planet. If
inability to protect yourself from such a threat becomes an offense, I am not
sure the net effect is positive.

~~~
tialaramex
Where are you seeing a nation state adversary? I wasn't able to find any
mention of this.

It's _annoyingly_ common for those who are subject to fairly ordinary attacks
to blame a powerful adversary based on very thin evidence, because "The state
of Russia attacked my business" sounds like you couldn't be expected to resist
whereas "A bored 14 year old attacked my business" sounds like you're useless.

~~~
bostik
This is one of those where the nature of the attack and inference together
make the case.

The attackers were inside the system for several _years_. Marriott is a high-
end hotel chain, whose establishments are used by state level travelers.
Having ongoing access to politicians' and high-ranking corporate executives'
itineraries, and especially their hotel room bookings, is an incredible avenue
for espionage.

A financially motivated attacker would have tried to exfiltrate otherwise
valuable data. But if the main target is the travel information data itself,
and if the scope does not particularly expand over time, I am going to call it
advanced espionage.

~~~
Raidion
In addition to that, while we know data was taken, it hasn't shown up in any
of the customary haunts for stolen information. Someone got access, and
squirreled away the data. Just some hacker looking to make some money from
identity theft would be selling that left and right.

------
glitchc
Ever since I stayed at a Marriott hotel (over five years ago), I have received
(and still do) telemarketing calls offering me a new deal on Marriott or
another of their subsidiaries. It's always a new agency with a new voice and a
different pitch. I wonder how many times Marriott has sold my data to third-
party agencies over the years?

~~~
universenz
Perhaps enough times where this fine from the EU is still considered
insignificant (apparently about 30p per record). If you consider your details
to be worth 5-10p per agency, if they've sold your details at least three
times they've already made their money back (including this fine from the EU).

------
argd678
Security is tricky for many companies since security is still somewhat
complicated compared to the level of talent you can hire, and the amount of
software needed to run an enterprise.

The solution is to have security controls that cross cut entire enterprises
and give operators a place to control them, however what we have today is just
a jumble of different solutions that consist more of blocking access rather
than allowing the business to run securely.

~~~
otterley
It seems reasonable not to operate a business that you can't operate according
to minimum standards. For example, you wouldn't run a construction company
without a properly trained builder on staff.

~~~
SkyBelow
Does "properly trained" include training to build buildings that cannot be
brought down or otherwise compromised by sustained targeted attacks using the
latest tools available? Most homes can burnt down with $20 of gas and a
lighter; should we consider the builders of those homes to be improperly
trained?

------
buboard
Doesn’t this incentivise companies to Not disclose breaches?

At least, it puts a ceiling on the price a hacker can extort.

~~~
IanCal
Deliberately not disclosing the breach would likely result in much larger
fines.

>If you experience a personal data breach you need to consider whether this
poses a risk to people. You need to consider the likelihood and severity of
the risk to people’s rights and freedoms, following the breach. When you’ve
made this assessment, if it’s likely there will be a risk then you must notify
the ICO;

[https://ico.org.uk/for-organisations/report-a-
breach/](https://ico.org.uk/for-organisations/report-a-breach/)

> The GDPR introduces a duty on all organisations to report certain types of
> personal data breach to the relevant supervisory authority. You must do this
> within 72 hours of becoming aware of the breach, where feasible.

[https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-
breaches/)

~~~
buboard
There is no definite scale for the fines though, i'm pretty sure negotiating
with the hackers will be cheaper 100% of the time. This is interesting from a
free market perspective: The undefined cost of the fines would lead to the
discovery of the true price of data leaks by negotiating with thieves.

~~~
IanCal
> There is no definite scale for the fines though, i'm pretty sure negotiating
> with the hackers will be cheaper 100% of the time

This will not be true if any paid-off breach is ever discovered as then you'll
have paid the hackers _and_ the fine, which will be larger because you've
deliberately kept it from the ICO/similar.

------
SpicyLemonZest
It's really strange how little detail they're providing here. How are other UK
businesses looking at this supposed to know what level of security is expected
of them?

------
binarymax
For context, Marriott's 2018 revenue was $20 Billion...so this fine is 0.5% -
not insignificant, but not as high as the maximum 4% which is possible under
GDPR.

EDIT: source: [https://www.statista.com/statistics/266279/revenue-of-the-
ma...](https://www.statista.com/statistics/266279/revenue-of-the-marriott-
international-inc-hotel-chain/)

~~~
me_me_me
I am ok with it being below maximum for now. They should start to increase the
fines little by little and the big corps will caught on and start to treat the
security with more respect.

~~~
isostatic
If Marriot are caught again they can expect a far larger fine.

The board should be planning some proper security. A £50m capital budget and
£5m a year revenue should be good enough.

~~~
DocTomoe
Or they could set up an insurance fund for that kind of fine for similar
money, and eventually that fund would be less expensive.

After all, you don't have such a leak every other week.

~~~
isostatic
If they make no attempt to improve their security I suspect the next incident
will cost them $800m. Be interesting to see who will insure them against that.

~~~
filoleg
When the parent comment said "they could set up an insurance fund", I believe
they didn't mean a literal contract with an insurance company, but a straight
up savings fund set up by Marriott to be used in the future specifically for
expenses like that.

~~~
isostatic
That's still self insurance, and it's still going to hit them for $800m next
time they have a leak.

Will have to be a big fund.

~~~
filoleg
Of course. My comment was mostly directed towards the "interesting to see who
will insure them against that" part.

------
Zenst
I wonder if these increasing influx of fines will become part of how the GDP
is calculated eventually. Certainly a revenue stream for governments more and
more these days, with issues left to fester and then some law with the ability
to capitalise (fine) upon the situation coming into play.

But when you fine a company the customers end up paying, same customers who
ended up being the victims of whatever reason the fine was needed in the first
place. Sadly I don't see a way of fixing that enpass.

------
JeanSebTr
Is that breaches' data accessible somewhere? I've never been able to reclaim
my points because they mistyped my home address...

------
kaiju0
The extortion opportunities are looking very sweet. Breach a company and
charge them a keep quiet fee. Lets call it a consulting fee. If its cheaper
than a GDPR fine the company will likely do it.

~~~
petey283
On first blush, I would think this would at the very least force companies to
improve their security.

~~~
Nasrudith
That brings to mind a hypothetical dysfunctional yet oddly workable system of
deputization akin to ADA compliance lawyers - registered hackers able to hack
and cite for violations to receive a fine portion - perhaps with a bonus for
fixing on the way out. Also very cyberpunk in a satirical "Snowcrash" way.

Not saying that we should adopt such a system, potentially terrible idea but
it amusingly is better than other "do something" legislation in that it would
actually help the target problem even if there are clear downsides.

------
sprafa
I can’t think of a single GDPR fine I couldn’t get 1000% behind. Haven’t
companies had ages to adapt anyway?? I mean dear lord it’s literally like they
won’t do anything until they see someone in their space get fined. Absolute
corporate misconduct

------
hnbroseph
if i can get your customer records, and charge you substantially less than a
fine to not release them...

i think the applications of fines of this sort will further empower those who
extort and blackmail.

------
pmoriarty
I wonder if there's any chance something like the GDPR could make it in to law
in the US. It's long past time for the US government to take serious actions
against companies that violate user privacy and security.

~~~
atonse
Won't happen in this climate. Or any climate. This current clan is too
business-friendly.

I could see someone like Elizabeth Warren or Ron Wyden getting behind it, but
not really the rest of the pack (it's not a popular enough issue when you
weigh it against things like student loan forgiveness, or universal
healthcare).

I do wish it would become law here. It would make my professional life a bit
harder (mostly on the security front, we already steadfastly refuse to
"monetize the data" or even give it to any third party, to the point we've
rejected those questions from investors) but it's definitely the right thing
to do since the benefit for consumers is much more important.

------
bogrollben
Key part of the article is that the data breach occurred 2 years PRIOR to the
acquisition. How can due diligence possibly discover this? Seems like
government overreach to me.

~~~
biot
A detailed security audit of their systems should have uncovered areas where
their security was lacking and they should have undertaken steps to remedy the
defects. It’s something you should do during an acquisition anyways. If their
software is crap, the price of acquisition should decrease by some amount in
anticipation of the work required to meet data protection laws. Not performing
the audit means not only are you likely to pay too much for the acquired
company, but it also opens you up to liability as was the case here.

------
supernova87a
Marriott should be fined that amount just for the shittiness of its website.
They are a company whose management is out to sea on autopilot, on holiday and
it shows after the merger with SPG. That UI and customer experience (and what
it says about the brand) is getting terrible.

