Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security EU Privacy Software The Almighty Buck Technology

Hilton Paid a $700K Fine For 2015 Breach; Under GDPR, It Would Be $420 Million (digitalguardian.com) 110

chicksdaddy writes from a report via Digital Guardian: If you want to understand the ground shaking change that the EU's General Data Protection Rule (GDPR) will have when it comes into force in May of 2018, look no further than hotel giant Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc (a.k.a. "Hilton."). On Tuesday, the New York Attorney General Eric T. Schneiderman slapped a $700,000 fine on the hotel giant for two 2015 incidents in which the company was hacked, spilling credit card and other information for 350,000 customers. Schneiderman also punished Hilton for its response to the incident. The company first learned in February 2015 that its customer data had been exposed through a UK-based system belonging to the company, which was observed by a contractor communicating with "a suspicious computer outside Hilton's computer network." Still, it took Hilton until November 24, 2015 -- over nine months after the first intrusion was discovered -- to notify the public. That kind of lackluster response has become pretty typical among Fortune 500 companies (see also: Equifax). And why not? The $700,000 fine from the NY AG is a palatable $2 per lost record -- and a mere rounding error for Hilton, which reported revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue in the year of the breach. Schneiderman's fine was less "bringing down the hammer" than a butterfly kiss for Hilton's C-suite, board and shareholders.

But things are going to be different for Hilton and other companies like it come May 2018 when provisions of the EU's General Data Protection Rule (or GDPR) go into effect, as Digital Guardian points out on their blog. Under that new law, data "controllers" like Hilton (in other words: organizations that collect data on customers or employees) can be fined up to 4% of annual turnover in the year preceding the incident for failing to meet the law's charge to protect that data. What does that mean practically for a company like Hilton? Well, the company's FY 2014 revenue (or "turnover") was $10.5 billion. Four percent of that is a cool $420 million dollars -- or $1,200, rather than $2, for every customer record lost. Needless to say, that's a number that will get the attention of the company's Board of Directors and shareholders.

This discussion has been archived. No new comments can be posted.

Hilton Paid a $700K Fine For 2015 Breach; Under GDPR, It Would Be $420 Million

Comments Filter:
  • Excellent (Score:5, Insightful)

    by sit1963nz ( 934837 ) on Thursday November 02, 2017 @08:34PM (#55480255)
    The fines are one thing, but there needs to be criminal liability for senior management too. They want the big money, well the risk, responsibility and liability comes with it. Dont want the risks etc then get a Job like the rest of us.
    • Re:Excellent (Score:5, Insightful)

      by ShanghaiBill ( 739463 ) on Thursday November 02, 2017 @09:48PM (#55480497)

      there needs to be criminal liability for senior management too.

      If we are going to start putting people in prison for incompetence, then we will need a lot more prisons.

      America already imprisons four times as many people as any other 1st world country. Perhaps we should stop looking at incarceration as the solution to every problem.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        It's not incompetence -- that's just the veneer of plausible deniability. This is willful negligence, and there's a difference. Incompetence is when giving your best effort isn't good enough. These criminals have a willful disinterest in protecting anything that doesn't belong to them.

        To give you an rough analogy: incompetence is when the bank builds a standard vault, but criminals find a way to break in anyhow. Criminal negligence is when your bank puts its depositors' cash and valuables in a chicken-w

        • This. On top of that, the Hilton execs waited 9 months before informing the public of the breach. Now that really merits some jail time for those responsible. Even if they "didn't know". That's what being responsible means.
      • Wow, I haven't seen corporate criminals defended like that before. Good job, and the payment should arrive in your Paypal soon.
      • Re:Excellent (Score:4, Informative)

        by eth1 ( 94901 ) on Friday November 03, 2017 @09:21AM (#55482407)

        there needs to be criminal liability for senior management too.

        If we are going to start putting people in prison for incompetence, then we will need a lot more prisons.

        America already imprisons four times as many people as any other 1st world country. Perhaps we should stop looking at incarceration as the solution to every problem.

        In this case, it's not incompetence. I work in infosec at the engineer/architect level, and we NEVER have the resources to do things properly. It's expensive and time consuming, and profits are more important to senior management than security, plain and simple. Add to that the fact that everyone above our heads (including the CEO) complains loudly at even the slightest inconvenience in the name of security ("two-factor is too much trouble, turn it off!"), and it's hopeless without some kind of "incentives" that the higher-ups can understand.

    • >. get a Job like the rest of us.

      That's precisely what any intelligent person would do if any mistakes by any of the thousands of employees at the company could cause the executives to go to prison. Only stupid or extremely ignorant people would accept an executive title. A company could either hire morons to actually run the company, meaning your job and your 401k would soon be gone, or have a string of puppets, where the moron who holds the title of CEO is controlled by people whose involvement is we

      • by Cederic ( 9623 )

        That's not the case - as an example, the UK executives at financial services organisations have criminal liability for the behaviour of their companies and can be prosecuted for failing to obey the law.

        When CRAs came under the FCA I do know two people that chose to move to an unregulated business; their colleagues generally celebrated, as the FCA merely expect you to run a business properly with some semblance of ethics.

        However, there were a substantial number of other people that said, "Yeah, I'm now faci

        • I'm looking over the CRA/FCA handbook and I don't immediately see anything relevant to this discussion. Perhaps you can point out what you're talking about?
          https://www.handbook.fca.org.u... [fca.org.uk]

          I see if a company criminally defrauds the government, the people involved in perpetrating that crime can (of course) be held criminally liable.

          I don't see anything about "all the executives go to prison if a sysadmin doesn't a do a good job patching or a server, or any other security mistake". Can you help me find that

          • by Cederic ( 9623 )

            Ok, that's tricky to source. Best I can find with a quick hunt is this:
            https://www.fca.org.uk/news/sp... [fca.org.uk]

            It's light on the measures available, but clearly demonstrates the FCA's expectations around individual accountability and their ability to intervene.

            • Thank you for that link. I see the first half of the speech discusses the age-old problem of determining who is responsible, the specific people who did the crime vs the company they work for. That is, of course, fact-dependent, but the question posed is "is the human person who actually, physically did the crime responsible, or the company" - there is no mention of "all the executives who work at the company" being imprisoned. That idea is found only on Slashdot, not in any law anywhere in the world (bec

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Step 1: Find poor guy with little means (likely to end up in prison anyway)
      Step 2: Offer him a role as CxO for $250,000
      Step 3: Control everything as before, except now with the title of "Puppet master"
      Step 4: Not go to prison when things go wrong.

      I bet there are thousands of people willing to sit in a chair for $250,000 a year in return for the possibility of going to prison.

      • You can find ads from criminal enterprises looking to hire fall guys like this on Craigslist. The fall guy's job is just to sign some papers and handle mail...

      • by jabuzz ( 182671 )

        Yeah problem is that won't work in most sane legal jurisdictions. Might make the prosecution harder, but it won't absolve you of legal responsibility.

    • Not necessarily. The big problem is not the lack of jail time, it's the lack of any consequences. If companies start to pay such large fines, then that gives the shareholders a big incentive to make salary, bonuses, and share options contingent on avoiding such fines.
    • by Xest ( 935314 )

      There already is under the EU's existing Data Protection Directive, this doesn't change under GDPR, the problem is it's never enforced because regulators are scared of enforcing personal liability in case the person they're enforcing against is mates with the politician who hires and fires them.

      Even when the regulator did do this when one of the porn piracy parasite lawyers left a list of every person he was trying to blackmail for money on a public server meaning people were outed and such publicly through

  • $700,000 is small change for a corporation as big as Hilton, but make no mistake, the guy or team that cost Hilton $700,000 felt the pain, when it filters down to the IT managers and what kind of money they represent to Hilton and what they cost, $700,000 error is big. No bonus for the IT team this year!

    • by rtb61 ( 674572 )

      You know what is even worse, a percentage fine of turnover. Hilton now owns a data company that it pays to control it's data, the company operates at cost, turnover just barely enough to sustain the $2 company - HAH HAH SUCKERS.

      • Hilton can outsource its data processing, but they still own the data, and carry the responsibility that comes with it.
        • The mission: outsource the owning/responsibility without outsourcing the actual revenue.

          There's gotta be a way. No way EU's law-drafters thought of everything. Hilton just needs some clever black hat lawyers.\

      • by Tawnos ( 1030370 )

        The GDPR makes such shenanigans difficult. In such a case, the data company would be a "processor", not a "controller", and that other company would still incur the fines.

    • when it filters down to the IT managers and what kind of money they represent to Hilton and what they cost, $700,000 error is big.

      Hilton lost a lot more than $700,000 because of the breach. I'll bet you that the overall blow to their worldwide brand was much higher. After all, if you're going to hold a corporate event, hold a wedding, cheat on your spouse, have a furry convention, or travel the world, why would you risk using a Hilton hotel when there are so many other hotels to choose from.

      So their IT is responsible for losing a lot more than $700,000, but I'm not sure the delay of the notification to the public once discovered can b

    • by jopsen ( 885607 )
      bThat's true, and surely there will be distinction between various degrees of negligence, stupidity and bad luck.
      But keeping the intrusion under wraps for months on end will probably be considered fairly "calculated" and very deliberate, hence, the hammer would fall very hard.

      With any luck, we'll see more openness and more investments in security. For sure the new rules are going to mean 2FA everywhere.
    • by Cederic ( 9623 )

      Sadly in the UK the ICO seems reluctant to issue any fines, and seems to be suggesting that they'll never fully use the powers available to them.

      I'd like to see a couple of companies properly spanked, maximum fines and/or prevented from data processing, just to demonstrate that it's taken seriously. Don't think it's likely though, excluding small companies that nobody cares about and that can be reconstituted in a few days.

  • Well, if companies just decide to put data on UK servers and have UK HQs, and I am predicting a brexit that will allow most companies there to do business with the rest of Europe but still not abide to the EU court, I can already imagine the loopholes most companies are gonna abuse for simply ignoring that problem. Then again, I am hoping my elected representatives in the EU parliament won't be that fool.

    • by Anonymous Coward

      This is one of the key loopholes the GDPR is designed to address. It also applies to companies outside the EU that are collecting data about people in the EU, or selling goods and services to people in the EU.

    • by Anonymous Coward

      In addition to the other response you got, UK is also going on the GDPR bandwagon. Not only they are *still* in the EU (and will be when it comes to effect), but they will keep the legislation.

  • by Anonymous Coward on Thursday November 02, 2017 @09:09PM (#55480367)

    Imagine if you and I could do crimes like corporations.

    Rule 1: You NEVER go to prison. Period. Shutting down a company? Unthinkable!
    Rule 2: You, at worst, pay fines, that are relative to your yearly income!
    Rule 3: The files will be limited to silly meaningless amounts like 4%. So, what, like $1600-3200? Not the usual fines that easily swallow more than the average person makes in a year, up to many millions.

    Yeah. How much does a company get for murder?
    Well, let's use Microsoft as an example.
    What do you get for regularly having sex with people, injecting your pathogen into them, eating them out from the inside, and impersonating them, by wearing their skins?
    Well, the "fine" of being allowed to ejaculate crack "licenses" over schoolchildren of a school, that cost you absolutely zero to produce, but hooks more children to your crack.

    Yeah, if corporations were actually people ... SAW and The Devil's Rejects would be what happens everywhere, every day, all day.

  • %.00006 of $11.2B is $7,000.
    • %.00006 of $11.2B is $7,000.

      The $11.2B is revenue, not profit. Their profit last year was $309M, or less than 3% of revenue.

      • by msauve ( 701917 )
        Congratulations, you achieved a new low, you didn't even bother to read the summary, which incorrectly claimed

        ...revenues of $11.2 billion in 2015, the year of the breach. That means the $700,000 fine was just %.00006 of Hilton's annual revenue...

        The GP is correct - the writer was wrong by a factor of 10000%.

  • by CanadianMacFan ( 1900244 ) on Thursday November 02, 2017 @09:26PM (#55480411)

    Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.

    And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.

    I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).

    • by Anonymous Coward

      Actually, no. GDPR clearly states the 4% is calculated for the worldwide turnover of the group or parent company. It was designed to avoid that kind of loophole.

      • Actually, no. GDPR clearly states the 4% is calculated for the worldwide turnover

        That is NOT clear, since "turnover" is not an accounting or legal term, and is ambiguous. Depending on context "turnover" can mean gross revenue, net revenue, net income, or even include consignments that are neither revenue nor income. I doubt very much that the actual law will use that word.

    • Since it's an EU rule, it perhaps it would just only be the combined revenue of operations in countries who are members of the EU. If Hilton wants to isolate financial harm done by a separate data processing company, they'd likely want to be certain that they own less than 50% of it. Otherwise, it isn't separate.
      • by Cederic ( 9623 )

        Nope. "20 million Euros or 4% of the undertakingâ(TM)s total annual worldwide turnover in the preceding financial year, whichever is higher"

        -- https://publications.parliamen... [parliament.uk]

        Although interestingly that wording doesn't explore complex corporate structures, and 'undertaking' doesn't look like it's defined anywhere. Although if it was it probably wouldn't help, I read the definition of 'controller' and couldn't make any fucking sense of it at all. Bloody legalese.

    • Every country has their own instance of the company. So in this case there will be a Hilton that owns Hilton USA, Hilton UK, Hilton Canada, etc. The data breach took place in the UK so the maximum fine would be based on revenue of the previous fiscal year of Hilton UK, not Hilton (Worldwide). Unless they propose on fining companies that aren't responsible for the data breach.

      And if they do decide to go after the global entities then all they will do is create separate companies to handle all of the customer data processing that are paid just enough to keep things running. Then Hilton will say the data breach will the fault of Hilton Customer Data Processing Company and the fine will be minimal.

      I'm not saying how these companies have acted is right. I think that there should be jail time involved for the CxOs instead of large fines for their inept handling of customer data (and especially those that brought about the global financial crisis).

      That could be - though we presume that the UK IT asset that was breached belonged to a separate corporate entity from Hilton itself - a big assumption. Also, there were actually two breaches in 2015, only one in the UK. The other was in the US. The question is: does it matter how many of the 350,000 affected were EU citizens or is even one victim enough to bring a fine - let alone the maximum fine?

  • I don't see a link to the law in the article so I have to assume its language is correct. "can" isn't "will". I doubt we'll ever see a company hit with a 4% fine.

    Also, since NY settled, I'd guess they didn't take as much as they might have either. I see no indication in the article as to what they could have gotten.

    • I'm actually far more sure that someone will get hit with a 4% fine - and probably relatively soon (like 2-3 years, maybe). Partly because they want to make an example, but also because there'll be a fairly big company somewhere that just isn't well enough prepared and will be in breach on day one. It'll probably be a foreign owned company, who (like many people here, it seems) mistakenly believe it doesn't really apply to them. They'll do some half-arsed job of implementing the required procedures, data wi

  • The key part of the fine provision (Article 83) is that there is an opportunity to fine €20 million (reduced from €100 million in earlier drafts) or 4% of global annual turnover (whichever is higher), for Tier 2 violations (e.g. violations of data subject rights), while this is halved for Tier 1 violations (breach of data controller/processor obligations). Given that the organisation was hacked and data leaked, they are perhaps at most guilty of negligence in their obligations as data controllers,

    • One thing they didn't do was disclose in a timely manner. This is a breach of paragraph 38, which is a 2% administrative fine. I agree, it's not likely they would see $420 Million, but willfully not disclosing for 9 months would likely qualify them for a very significant fine.
      • by Cederic ( 9623 )

        Thank you both - informed and interesting contribution, and helped me understand it all a little better too.

        Complex nasty legislation. Going to be fun in May :)

  • It could be 420 Million, but I very much doubt it would be. So the subject is incorrect.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...