Marriott will pay $52M, improve cybersecurity to settle multiple data breaches

Note: This story first appeared on Phocuswire.

WASHINGTON, D.C. — Marriott International has agreed to pay $52 million and to strengthen its data security practices in settlements related to three data breaches dating back to 2014.

The settlements are two-fold: a resolution with 49 U.S. States Attorneys General and the District of Columbia which requires Marriott to pay $52 million to those entities. The Federal Trade Commission will require Marriott and its subsidiary Starwood to implement a “robust information security program.” Additionally, the company has agreed to provide all customers in the United States with a way to request the deletion of personal information associated with their email addresses or loyalty rewards account numbers.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Connecticut co-led the multistate case. Its attorney general, William Tong, said, “Companies have an obligation to take reasonable measures to protect consumer data security. Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests.”

Marriott announced plans to acquire Starwood in 2015, shortly after Starwood notified customers it had experienced a 14-month long data breach involving payment card information for more than 40,000 customers.

Once the $12.2 billion merger went through in 2016, Marriott became responsible for the data security practices of both brands. Two years later, in November 2018, Marriott revealed it had identified what is now termed the second breach, which had begun in 2014 and involved copying information from about 340 million Starwood guests worldwide until it was discovered four years later.

According to the United States Federal Trade Commission, forensic examiners determined this breach was due to “malicious actors” compromising Starwood’s external-facing web server and installing malware on its network. It said the introducers installed “key loggers, memory-scraping malware and remote access trojans” on more than 480 systems across 58 locations within Starwood’s system, including corporate, data center, customer contact center and hotel property locations.

Personal information stolen during this breach included more than 5.25 million unencrypted passport numbers, payment card numbers, email addresses, user names and dates of birth, Starwood loyalty numbers, stay information, flight information, and more.

Marriott reported the third breach in March 2020, when it said hackers used employees' login credentials at a franchise property to gain access to Marriott’s network.

The intruders began stealing information in September 2018 – the same month the second breach was discovered – and continued until December 2018, then resumed in January 2020 until they were discovered in February 2020.

During that time, they accessed more than 5.2 million guest records, which the FTC said contained “significant amounts” of personal information.

The FTC complaint alleges Marriott failed to do multiple things, including implementing appropriate password control, patching outdated software, monitoring network environments, implementing appropriate firewalls and applying adequate multifactor authentication.

The agreements with the FTC and the attorneys general indicate that Marriott makes no admission of liability with respect to the underlying allegations. Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries.