Marriott International has agreed to settle with the Federal Trade Commission and 50 state attorneys general over a series of data breaches at a guest-reservation system subsidiary.
According to multiple statements from the states, Marriott will pay $52 million to settle charges brought by 50 attorneys general over a data breach that exposed information of hundreds of millions of customers. According to the states, their allegations involve a breach that began in 2014 at Starwood Hotels but was not detected until September 2018. Marriott acquired Starwood in 2016.
“Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies.” said New York Attorney General Letitia James, in a statement.
The attorneys general began an investigation of the hotel chain after the data breach, alleging Marriott violated state consumer protection, personal-information protection, and breach notification laws.
New York will receive nearly $2.3 million of the settlement. Payments to states vary. In Ohio, set to get $1.5 million, Attorney General Dave Yost added that the attorneys general are “holding the company accountable and ensuring they put tools in place to prevent a repeat performance.”
Marriott, while admitting no liability, said it will continue to enhance data privacy and information security programs, “many of which are already in place or in progress.”
“Protecting guests’ personal data remains a top priority for Marriott,” the company said in a statement. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
The FTC, who worked with the states in this case, outlined three data breaches—two that occurred at Starwood before Marriott’s official acquisition. The first began in 2014 and involved payment card information of about 40,000 people. It was not detected until days before an announcement of Marriott’s acquisition. The second data breach in 2104 and went undetected until 2018. This breach exposed nearly 340 million Starwood guest records, including millions of passport numbers.
FTC said the third breach occurred from September 2018 to February 2020 at Marriott. Hackers accessed 5.2 million guest records worldwide, including 1.8 million in the U.S.
The commission said Marriot agreed to only hold personal information for as long as is “reasonably necessary,” certify compliance of its information security programs to the FTC annually for 20 years, restore loyalty points by hackers, and allow customers to request personal information be deleted.
Topics Cyber
