The UK, acting on an EU General Data Protection Regulation (GDPR) case, proposed a fine of $230 million against British Airways for a website hack that affected 500,000 customers.
Now the UK has proposed a fine of $123 million (about half) against Marriott for their unprecedented data breach in which 383 million records were hacked including 5.25 million unencrypted passport numbers and 8.6 million payment cards (most expired).
Marriott’s CEO said they stored your passports to make life easy for you so you wouldn’t have to keep entering them during the booking process. Which shows he understands about as much about making Marriott reservations as his tech team understands about security.
This is 50% more than all the fines meted out in the first year of GDPR enforcement which saw 200,000 investigations, 64,000 of which found fault, resulting in total fines of approximately $70 million — nearly 90% of which was from a single case against Google.
None of this money goes to people that had their passport data stolen.
The truth is though that most of the information stolen wasn’t very valuable, and the valuable information that was stolen isn’t actionable under GDPR.
Names, addresses and phone numbers were published in phone books and eventually digitized. Getting a copy of the phone book wasn’t very helpful to businesses.
Add in email addresses and passports things change a little bit. It’s cheaper to email someone than to call them or send something by mail. But a single email address still doesn’t have very much value. Even one million email addresses aren’t very valuable, because response rates to spam are so low. Most of us are secure in such a large data breach even including passport data through our own obscurity.
What’s actually valuable is behavioral data fed into predictive tools which are the proprietary technology of a company. Will you be likely to buy up to a suite? At what price point? What bundles of travel do you book together? Where do you usually stay and what might break that pattern?
Marriott hasn’t talked about the really valuable data that’s been breached, preferring to focus on expired credit cards and passports. The EU proposes to fine Marriott for a criminal hack of their systems, which is how the law works, but it’s not clearly the best way to drive collaboration between large companies and government agencies protecting against nation state attacks.
And indeed it’s government agencies that are the biggest violators of data privacy.