Marriott settles with FTC, to pay $52 million over data breaches

Marriott International and its subsidiary Starwood Hotels will pay $52 million and create a comprehensive information security program as part of settlements for data breaches that impacted over 344 million customers.

The settlement requires Marriott and Starwood to implement a comprehensive security program and allow their U.S. customers to request personal data deletions.

Additionally, the American hospitality giant has agreed to pay $52,000,000 to 49 states to resolve claims related to the data breaches.

Marriot’s many data breaches

Marriott International is a hospitality company that manages and franchises a vast portfolio of hotels and lodging facilities, operating more than 7,000 properties across 130 countries.

Starwood was an American hotel and leisure company until its acquisition by Marriott in 2016, making the latter responsible for data security and related hotel operations.

FTC’s announcement highlights three cases where Marriott failed to safeguard its customers’ information.

In June 2014, Starwood suffered a data breach where the payment card information of many of its customers was exposed. The breach was discovered and publicly disclosed 14 months later, leaving impacted clients exposed to elevated risks for over a year.

The second incident concerns hackers accessing 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. That breach occurred in July 2014 but was detected in September 2018, again leaving clients exposed for a multi-year period.

The third breach impacted Marriott itself, where malicious actors accessed the records of 5.2 million guests in September 2018. The exposed data included names, email addresses, postal addresses, phone numbers, dates of birth, and loyalty account information.

In this case, too, it took Marriott until February 2020 to discover the compromise and inform its clients accordingly.

The settlement

The FTC accuses the two companies of misleading consumers about their data security practices and outlined failures such as poor password controls, outdated software, and lack of appropriate monitoring of its IT environment.

As part of the settlement agreement, Marriott and its subsidiary Starwood will now have to implement the following measures:

1. Establish a comprehensive information security program with third-party assessments every two years and annual compliance certification for 20 years.
2. Limit data retention to what is necessary and inform customers of the reason for collecting and keeping their data.
3. Allow customers to request reviews of unauthorized activity in their loyalty accounts and restore stolen points.
4. Provide a way for customers to request deletion of personal information linked to their email or loyalty account.
5. Prohibit misrepresenting how personal data is handled and ensure transparency in security practices.

Marriott has also reached a separate settlement announced simultaneously with 49 states and the District of Columbia, agreeing to pay $52,000,000 to resolve allegations and claims related to the above security incidents.