![](\"https:\/\/www.insurancejournal.com\/app\/uploads\/2015\/04\/data-breach-580x387.jpg\")
<\/p>\nMarriott International has agreed to settle with the Federal Trade Commission and 50 state attorneys general over a series of data breaches at a guest-reservation system subsidiary.<\/p>\n
According to multiple statements from the states, Marriott will pay $52 million to settle charges brought by 50 attorneys general over a data breach that exposed information of hundreds of millions of customers. According to the states, their allegations involve a breach that began in 2014 at Starwood Hotels but was not detected until September 2018. Marriott acquired Starwood in 2016.<\/p>\n
\u201cMarriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers\u2019 private information should be a top priority, not a last resort, for all companies.\u201d said New York Attorney General Letitia James, in a statement.<\/p>\n
The attorneys general began an investigation of the hotel chain after the data breach, alleging Marriott violated state consumer protection, personal-information protection, and breach notification laws.<\/p>\n
New York will receive nearly $2.3 million of the settlement. Payments to states vary. In Ohio, set to get $1.5 million, Attorney General Dave Yost added that the attorneys general are \u201cholding the company accountable and ensuring they put tools in place to prevent a repeat performance.\u201d<\/p>\n
Marriott, while admitting no liability, said it will continue to enhance data privacy and information security programs, \u201cmany of which are already in place or in progress.\u201d<\/p>\n
\u201cProtecting guests\u2019 personal data remains a top priority for Marriott,\u201d the company said in a statement. \u201cThese resolutions reaffirm the company\u2019s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.\u201d<\/p>\n
The FTC, who worked with the states in this case, outlined three data breaches\u2014two that occurred at Starwood before Marriott\u2019s official acquisition. The first began in 2014 and involved payment card information of about 40,000 people. It was not detected until days before an announcement of Marriott\u2019s acquisition. The second data breach in 2104 and went undetected until 2018. This breach exposed nearly 340 million Starwood guest records, including millions of passport numbers.<\/p>\n
FTC said the third breach occurred from September 2018 to February 2020 at Marriott. Hackers accessed 5.2 million guest records worldwide, including 1.8 million in the U.S.<\/p>\n
The commission said Marriot agreed to only hold personal information for as long as is \u201creasonably necessary,\u201d certify compliance of its information security programs to the FTC annually for 20 years, restore loyalty points by hackers, and allow customers to request personal information be deleted.<\/p>\n
Topics<\/span> Cyber<\/a> <\/p>\n<\/p><\/div>\n Was this article valuable?<\/p>\n<\/p><\/div>\n