Marriott has agreed in settlements to pay $52M and improve its data security practices. The breaches date back to 2014, and Marriott will be paying the fines.
The settlements announced are two-fold. A resolution with 49 U.S. Attorneys General, and the District of Columbia, requires the hospitality giant pay $52 millions to these entities. Separately the Federal Trade Commission is requiring Marriott and its subsidiary Starwood implement a “robust program of information security.” In addition, the company has agreed that it will provide a way for all customers to request deletions of personal information related to their email address or loyalty account number.
Samuel Levine, Director of the FTC Bureau of Consumer Protection, said that Marriott’s poor security policies led to multiple breaches that affected hundreds of millions of consumers.
The FTC’s actions today, in coordination and with our state partners will ensure that Marriott improves their data security practices at hotels around the world.
Connecticut was the co-leader of the multi-state lawsuit. William Tong, its attorney general, said that companies have an obligation to take measures to protect the security of consumer data. Marriott failed to do this, which led to the breach of Starwood’s computer network and the exposure personal information of millions of its customers. This 50-state agreement, led by Connecticut, forces a system of risk based protections that guards against ever-evolving cyber threats. We will continue working closely with our multistate colleagues across the nation to ensure that companies are taking all reasonable measures to protect our personal data.”
Marriott announced plans to acquire Starwood in 2015 – and shortly after Starwood notified customers it had experienced a 14-month long data breach involving payment card information for more than 40,000 customers.
After the $12.2 billion merger in 2016, Marriott was responsible for the data protection practices of both brands. In November 2018, Marriott announced that it had identified the second breach. The first breach began in 2014, and involved the copying information from 340 million Starwood customers worldwide. It was only discovered four years after the initial breach.
According to the United States Federal Trade Commission (FTC), forensic examiners determined that this breach was caused by “malicious acts” compromising Starwood’s external-facing website and installing malware on their network. The report said that the introducers had installed “keyloggers, memory-scraping software and remote access trojans on more than 480 computers across 58 Starwood locations, including corporate, data centers, customer contact centers and hotel properties.
Marriott’s poor safety practices led to a number of breaches that affected hundreds and millions of customers.
The breach resulted in the theft of more than 5.25 millions unencrypted numbers for passports, payment cards, email addresses, usernames, dates-of-birth, Starwood loyalty codes, stay information, flight details, and more.
Marriott reported the third hack in March 2020. Hackers used login credentials for employees at a Marriott franchise property to gain entry to Marriott’s system.
The intruders began stealing information in September 2018 – the same month the second breach was discovered – and continued until December 2018, then resumed in January 2020 until they were discovered in February 2020.
During this time, they accessed over 5.2 million records of guests that contained “significant amounts” (according to the FTC) of personal information.
The FTC’s complaint alleges Marriott has failed to do a number of things, including implement appropriate password controls, patch outdated software and monitor network environments. It also claims Marriott has not implemented appropriate firewalls or applied adequate multifactor authorization.
Marriott does not admit liability for the allegations. Marriott manages and operates more than 7,000 hotels and resorts in the United States, as well as in more than 130 other countries.
