Marriott settles over data breach that exposed millions of guests


Marriott International has agreed to pay $52 million as part of a settlement agreement over a data breach that exposed the information of more than 344 million guests worldwide.

The Bethesda, Maryland-based hotel company also agreed to bolster its data security and resolve issues that led to three major breaches between 2014 and 2020, according to the Federal Trade Commission (FTC).

The regulators said Marriott International and its subsidiary Starwood Hotels & Resorts will have to implement “a robust information security program to settle charges."

ADVERTISEMENT

After working in parallel on the investigation, the FTC and attorneys general of 49 states and the District of Columbia separately announced the terms of settlement agreements with Marriott.

According to Samuel Levine, director of the FTC’s Bureau of Consumer Protection, the agreements will ensure that Marriott improves its data security practices in hotels “around the globe.”

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Levine said.

In a statement published on its website, Marriott said it made “no admission of liability with respect to underlying allegations” as part of the settlement.

It also said it had already enhanced its data privacy and information security practices and would continue to do more.

What are the terms of the agreements?

As part of the settlement agreement with the FTC, Marriott was ordered to take steps to better protect customers’ personal information, as well as give customers more control over their data.

Marriott agreed to provide all its customers in the US with a way to request the deletion of personal information associated with their email address or loyalty rewards account number.

ADVERTISEMENT

Additionally, the settlement requires Marriott to review loyalty reward accounts upon customer request and restore stolen loyalty points.

It was also asked to implement a “comprehensive” information security program that includes multi-factor authentication, encryption, and other safeguards. Additionally, the company agreed to cooperate with third-party audits of its information security program.

Marriott was also told to only collect and keep personal information if it is necessary for business purposes and to delete the collected data when it’s no longer needed.

Under a separate settlement with the states, Marriott also agreed to pay a $52 million penalty and resolve similar data security allegations to those outlined in the agreement with the FTC.

What were the allegations?

According to the FTC, Marriott and Starwood “deceived” consumers by claiming to have appropriate data security when they did not.

Specifically, the complaint alleged that Marriott and Starwood failed to implement proper password, access, and firewall controls or network segmentation, patch outdated software and systems, or adequately log and monitor network environments.

Adequate multi-factor authentication was not deployed either, according to the FTC.

As a result, “malicious actors” obtained personal information through at least three separate data breaches, including passport information, payment card numbers, loyalty numbers, dates of birth, email addresses, and personal information.

According to the FTC, the first breach, which began in June 2014, affected Starwood and went undetected for 14 months before the hotel notified customers. The complaint noted that the breach exposed the payment card information of more than 40,000 customers.

ADVERTISEMENT

While Marriott acquired Starwood in 2016, it is held responsible for the data security practices of both brands.

The second breach began around July 2014 and was only detected in September 2018. During this period, bad actors accessed 339 million Starwood guest account records worldwide, including over five million unencrypted passport numbers.

The third breach affected Marriott’s own network and went undetected from September 2018 until February 2020. The FTC said malicious actors accessed 5.2 million guest records over that period, including data from 1.8 million Americans.

More than 7,000 properties throughout the US and across more than 130 other countries are under Marriott’s management and franchise agreements.