Security News > 2020 > October > Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for four years
Your name, address, phone number, email address, passport number, date of birth, and sex are worth just £0.05 in the eyes of the UK Information Commissioner's Office, which has fined Marriott £18.4m after 339 million people's data was stolen from the hotel chain.
Within the exposed data were 5.25 million guests' passport numbers, stored without encryption, as well as 18.5 million encrypted passport numbers and 9.1 million encrypted credit card numbers.
According to the ICO's detailed monetary penalty notice [PDF], the hack was years in the making and was only detected when the attackers started sniffing around payment card data, having gone unnoticed for four years inside Starwood Hotels' systems.
The ICO said it would have imposed a £28m penalty but for Marriott having established a data breach website and call centre to serve a data breach hotline.
Francis Gaffney, director of threat intelligence at email security biz Mimecast, opined: "Too often, regulation is viewed as a burden, but organisations should start to view it through the lens of their customers, partners, or employees. If a customer trusts you with their data, you owe it to them to protect it and ensure it is safe. Many organisations are having to pay financial penalties for such data breaches and it is only afterwards that the cost of a breach now outweighs the potential savings from not investing in security and data management solutions." .