Marriott to Pay $52 Million Over Data Breaches Affecting Millions

Marriott International and its subsidiary, Starwood Hotels, will pay $52 million and implement a comprehensive data security program as part of a settlement concerning major data breaches from 2014 to 2020, affecting more than 344 million customers.

Under the agreement, Marriott and Starwood are required to establish an extensive data protection program and provide U.S. customers with the ability to request the deletion of their personal information.

Marriott International, a large hospitality corporation managing over 7,000 properties worldwide, acquired Starwood Hotels in 2016, assuming responsibility for securing the data of both companies’ clients.

The FTC highlighted several instances in which Marriott failed to adequately safeguard customer data:

• The first incident occurred in 2014 when Starwood experienced a data breach that compromised customers’ payment cards. This breach went undetected for 14 months, significantly increasing the risks to affected users.
• The second incident involved hackers gaining access to 327 million Starwood customer accounts, including 5.25 million unencrypted passport numbers. This breach began in July 2014 but wasn’t discovered until 2018, leaving customers vulnerable for years.
• The third incident directly impacted Marriott. In 2020, attackers accessed the personal data of 5.2 million customers, including their names, email addresses, mailing addresses, phone numbers, birth dates, and loyalty program account details. However, Marriott did not detect the breach until February 2020.

The FTC accused Marriott and Starwood of misleading customers about their data security practices. Key issues included weak passwords, outdated software, and insufficient oversight of the IT infrastructure.

As part of the settlement, Marriott and Starwood are required to:

• Establish a comprehensive data protection program, subject to external assessments every two years and annual certifications for 20 years.
• Minimize data retention to the necessary minimum and inform customers of the reasons for data collection.
• Allow customers to request a review of unauthorized account activity and the restoration of lost loyalty points.
• Provide customers with the option to request the deletion of personal information associated with their email or loyalty account.
• Ensure transparency in data protection practices and prohibit any misrepresentation of how personal data is handled.

Marriott also reached a separate agreement with 49 U.S. states and the District of Columbia, committing to pay $52 million to resolve claims related to the aforementioned incidents.