Marriott Agrees to Pay $52 Million in Landmark Settlement with FTC Over Massive Data Breaches

Big news in the cybersecurity world: Marriott International and its subsidiary Starwood Hotels are on the hook for $52 million, plus the creation of a comprehensive information security program, as part of a settlement for data breaches that affected more than 344 million customers.

What does this mean for you, the U.S. consumer? For starters, Marriott and Starwood will have to implement a robust security program and allow customers to request personal data deletions.

And there’s more: The American hospitality giant has also agreed to pay $52,000,000 to 49 states to resolve claims related to these data breaches.

So, what happened with Marriott?

Marriott International is a major player in the hospitality industry, managing and franchising a huge portfolio of hotels and lodging facilities. They operate over 7,000 properties in 130 countries worldwide.

Starwood, on the other hand, was an American hotel and leisure company until Marriott acquired it in 2016. This acquisition made Marriott responsible for data security and related hotel operations.

The announcement from the FTC shines a light on three cases where Marriott dropped the ball when it came to protecting its customers’ information.

First, there was a data breach in June 2014 in which many Starwood customers’ payment card information was exposed. It took 14 months for this breach to be discovered and publicly disclosed, which left affected clients exposed to elevated risks for over a year.

Then, there was a second incident where hackers accessed 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. This breach occurred in July 2014 but wasn’t detected until September 2018, again leaving customers exposed for multiple years.

Lastly, a third breach impacted Marriott itself. In September 2018, malicious actors accessed the records of 5.2 million guests. The exposed data included names, email addresses, postal addresses, phone numbers, dates of birth, and loyalty account information. Marriott didn’t discover this compromise and inform its clients until February 2020.

What’s the deal with the settlement?

The FTC is accusing Marriott and Starwood of misleading consumers about their data security practices. Some of the outlined failures include poor password controls, outdated software, and a lack of appropriate monitoring in their IT environment.

As part of the settlement agreement, Marriott and Starwood will now have to:

1. Establish a comprehensive information security program, complete with third-party assessments every two years and annual compliance certification for 20 years.
2. Limit data retention to only what’s necessary and inform customers of the reason for collecting and keeping their data.
3. Allow customers to request reviews of unauthorized activity in their loyalty accounts and restore stolen points.
4. Provide a way for customers to request deletion of personal information linked to their email or loyalty account.
5. Prohibit misrepresenting how personal data is handled and ensure transparency in security practices.

Marriott has also reached a separate settlement with 49 states and the District of Columbia, agreeing to pay $52,000,000 to resolve allegations and claims related to the above security incidents.

What can you do to protect yourself?

Data breaches like these are a harsh reminder that we need to be vigilant about our online security. Make sure to use strong, unique passwords for each of your accounts and keep an eye on your financial and loyalty accounts for any suspicious activity. Consider using a password manager to help you keep track of your passwords securely.

And remember, we’re always here to help. If you have any questions about cybersecurity or want to learn more about protecting your personal information, don’t hesitate to reach out to us. We’re committed to helping you stay informed and secure in this ever-changing digital landscape.