Marriott Got Bonvoyed by the EU: $123 Million Fine Does Nothing to Protect Meaningful Data

The UK, acting on an EU General Data Protection Regulation (GDPR) case, proposed a fine of $230 million against British Airways for a website hack that affected 500,000 customers.

Now the UK has proposed a fine of $123 million (about half) against Marriott for their unprecedented data breach in which 383 million records were hacked including 5.25 million unencrypted passport numbers and 8.6 million payment cards (most expired).

Marriott’s CEO said they stored your passports to make life easy for you so you wouldn’t have to keep entering them during the booking process. Which shows he understands about as much about making Marriott reservations as his tech team understands about security.

This is 50% more than all the fines meted out in the first year of GDPR enforcement which saw 200,000 investigations, 64,000 of which found fault, resulting in total fines of approximately $70 million — nearly 90% of which was from a single case against Google.

None of this money goes to people that had their passport data stolen.

The truth is though that most of the information stolen wasn’t very valuable, and the valuable information that was stolen isn’t actionable under GDPR.

Names, addresses and phone numbers were published in phone books and eventually digitized. Getting a copy of the phone book wasn’t very helpful to businesses.

Add in email addresses and passports things change a little bit. It’s cheaper to email someone than to call them or send something by mail. But a single email address still doesn’t have very much value. Even one million email addresses aren’t very valuable, because response rates to spam are so low. Most of us are secure in such a large data breach even including passport data through our own obscurity.

What’s actually valuable is behavioral data fed into predictive tools which are the proprietary technology of a company. Will you be likely to buy up to a suite? At what price point? What bundles of travel do you book together? Where do you usually stay and what might break that pattern?

Marriott hasn’t talked about the really valuable data that’s been breached, preferring to focus on expired credit cards and passports. The EU proposes to fine Marriott for a criminal hack of their systems, which is how the law works, but it’s not clearly the best way to drive collaboration between large companies and government agencies protecting against nation state attacks.

And indeed it’s government agencies that are the biggest violators of data privacy.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. You’ve missed the mark badly in your screeds against GDPR consumer protections. In addition to the fine against the company, individuals have the right for compensation pursuant to Article 82. The ability to impose and the imposition of a fine is intended to deter unlawful practice. The size of the fine is related to behavior of the offending company and the magnitude of the harm. Your references to a prior year’s total fines is as irrelevant for judging the reasonable of the fines against BA and Marriott as your your complaint that the fine is not going directly to consumers. You’re also off the mark minimizing the potential harm to consumers. Organized crime operations seek to monetize the data they’ve stolen, which will typically involve exploiting the consumer’s identity in a manner that is harmful to the consumer. Stolen data can be sold to others who might, for example, want to stalk someone is who trying to keep her identify and location hidden. A free market approach has failed miserably in the market for personal consumer data.

  2. Clearly, the folks who went through the hard work of breaching Marriott’s and BA’s systems and obtaining our data thought their efforts were worthwhile. Pieces of data may have little value individually but can have great value when combined with other seemingly worthless info. That’s supposedly how intelligence services and identity thieves operate.

  3. @Birny – my criticisms of the fines have nothing to do with individuals seeking compensation, by all means in fact the whole point of my post on BA is that the funds ought to go to affected consumers.

  4. No system is fallible. You could have best in class security and still get hacked…and the EU still wants to levy fines? Here’s an idea: how about go after the actual criminals who illegally access the systems. Nah, that’s too hard. No due process necessary, let’s just instead create ridiculous new laws, apply them retroactively, assume negligence, fault and damages where there may not be any, and pay ourselves a few hundred million for a good days work. The only shock is that they finally actually also fined a non-US company.

  5. Well maybe these companies will learn once and for all that playing fast and cheap with our data will not be without costs—big costs. It won’t happen here because big corporations own the government here in the USA.

    Pay now or pay later. It’s your choice. Risk Managers take note.

  6. @Gary — but you are still missing the point that large fines ultimately do protect consumers in forcing companies to take the regulations more seriously and to conform their conduct to the law. That the money doesn’t go to the consumer’s seems like a very tangential point. As does focusing on the exact value of the information that was not properly secured by Marriott.

    Put simply I think your claim that this fine and the BA fine “does nothing to protect meaningful data” is flatly and empirically incorrect. I would guess that every company big and small that is subject to the regulation is taking note that regulators are serious and are likely increasing their investment and security in a commensurate manner.

    Your position on this is surprising. You know how regulatory fines work and are intended to work. You seem to be ignoring that in order to make your frankly bizarre and kind of uninteresting gotcha points about behavioral data. Non identity specific behavioral data may be more “valuable,” but it isn’t what privacy regulations are concerned about nor should they be. These fines are about protecting certain kinds of data without regard necessarily to its monetary value relative to other kinds of data companies harvest. That behavioral data is easier to monetize than private information hardly makes the data that GDPR is designed to protect not “meaningful.” Personal data that companies demand to collect is quite meaningful to a great many people who support privacy regulations.

    If you were posting an article taking the position that aggregate behavioral data should be regarded as intellectual property and were advocating for lawmakers to give consumers right to recover for the gathering of that intellectual property, perhaps that would be interesting. Not to me, but some would read it I am sure. To tether that argument, though, to a contention that GDPR fines are not beneficial to consumers because other kinds of data has more readily identifiable monetary value is a rhetorical trick and strawman.

  7. The fines are a small part of the GDPR work being done. For years, GDPR has been coming, and data protection agencies in European countries (including Norway, not an EU member, and where I am from) has used _a lot_ of resources into educating and telling companies they’ve got to get their sh*t together.

    And at most companies, it’s worked. Now, data _is_ deleted after reasonable use. Do you need to have the name, phone number, e-mail address etc at a breakfast list? No – the room number is enough. Do you need the name and phone number for an arrival list? Yes, but after a week, that’s not any information you need anymore, and must delete it. Do you need to have information on locally stored spreadsheets or should you rather use an online system where things can be confirmed deleted? etc.

    GDPR is a hassle, yes – I work with it each day as a manager in an IT company. Is it worth it? Heck yeah. People are now getting aware that their data is THEIR data, and that companies have to treat it as private information, including removing it from their systems – or keep it, after I have actively given permission to store it.

    And yes, I do quite often let companies store my data – like a travel company to make my next booking easier. And other times, no – I don’t need a hotel chain in a country I probably won’t visit again for loads of years to have my data stored.

    ID theft is a real thing, it is scary and we have to be more aware. GDPR is an important step. Fines are not levied if you can show that you have done some real work to secure the data, and remove it after needed use.

    Two of our customers have been fined for GDPR-like infractions (loss of data and not enough done to minimise threat – like two-factor logins), and their managers state clearly: it was the right thing to do, and it’s increased the focus on privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *