I'm ever so slightly optimistic in this regard. As soon as we see a few GDPR-related penalties assessed, the risk-reward calculation will change drastically.
According to their 2017 annual report [1], Marriot had $22.9bn in worldwide revenue. A 4% penalty on that would be $900M.
I read that there was some kind of grace period involving GDPR penalties. Has the EU handed out any fines yet, or is it still letting companies adjust?
The question is probably if it is state of the art to encrypt passport numbers. If yes, then Marriot could be fine with a similiar argument of "the company knowingly violated its duty to ensure data security".
According to their 2017 annual report [1], Marriot had $22.9bn in worldwide revenue. A 4% penalty on that would be $900M.
[1] https://marriott.gcs-web.com/static-files/057a8e1a-a5c5-4c20...