Marriott Agrees $52m Settlement for Massive Data Breach

Written by

Hotel giant Marriott has agreed to pay a $52m settlement to 50 US states for a large multi-year data breach impacting 131.5 million American customers.

The 50-state settlement followed an investigation conducted by the Federal Trade Commission (FTC) and 50 state attorney generals into a breach of a Starwood guest reservation database that was discovered in September 2018.

It is estimated that 339 million guest records were exposed globally in the incident.

Attackers accessed the database undetected from July 2014 to September 2018.

Marriott acquired Starwood in 2016 and had control of the hotel group’s computer network from this time.

The impacted records included guests’ personal details and a limited number of unencrypted passport numbers and unexpired payment card information.

In October 2020, the UK’s Information Commissioner's Office (ICO) fined Marriott £18.4m ($24m) relating to the data breach of around seven million UK residents.

The agreement with the US states settles allegations by the attorney generals that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies.

As part of the settlement, Marriott has also agreed to strengthen its cybersecurity practices.

This includes implementation of a comprehensive information security program that incorporates zero trust principals and regular security reporting to the board and C-suite.

Read now: T-Mobile to Pay $15.75m Penalty for Multiple Data Breaches

Marriott Accused of Security Deception

In a separate settlement order with the FTC, Marriott and its subsidiary Starwood have agreed to implement a “robust” information security program.

This agreement will settle charges that data security failings by the companies led to three large data breaches from 2014 to 2020, impacting more than 344 million customers worldwide.

These incidents were:

The FTC accused the hotels of deceiving consumers by claiming to have reasonable and appropriate data security.

However, Marriott and Starwood were found to have failed to implement appropriate password controls, access controls, firewall controls or network segmentation; patch outdated software and systems; adequately log and monitor network environments; and deploy adequate multifactor authentication.

Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, commented: “Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.”

“The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe,” he added.

The consent agreement package will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final.

No Admission of Liability from Marriott

In a statement responding to the settlement, Marriott emphasized it has made no admission of liability with respect to the allegations brought by the FTC and state attorneys.

The hotel chain said it is already implementing enhancements to its data privacy and information security programs as set out in the settlements.

“Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats,” Marriott said.

Image credit: gerd-harder / Shutterstock.com

What’s hot on Infosecurity Magazine?