Marriott International has reached an agreement to pay $52 million and implement enhanced data security measures in response to state and federal investigations concerning significant data breaches that compromised the personal information of over 300 million customers globally.
The settlement, announced on Wednesday, involves the Federal Trade Commission (FTC) and a coalition of attorneys general from 49 states and the District of Columbia, who conducted parallel investigations into three separate breaches that occurred between 2014 and 2020.
The FTC’s proposed complaint indicated that hackers gained access to sensitive data, including passport numbers, payment card information, loyalty account details, dates of birth, and email addresses, due to inadequate data security practices at Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide. The agency alleged that the hotel chain failed to implement sufficient password protections, network monitoring, and other essential safeguards.
As part of the settlement with the FTC, Marriott has agreed to establish a comprehensive information security program and will provide US customers the ability to request the deletion of their personal information linked to their email address or loyalty account number.
In addition to the FTC settlement, Marriott will pay the $52 million penalty to the states involved in the investigation. This sum will be distributed among all 50 states.
In a statement released Wednesday, Marriott, based in Bethesda, Maryland, emphasized that it made no admission of liability in connection with the settlements. The company noted that it has already implemented numerous data privacy and security enhancements.
The data breaches came to light in early 2020 when Marriott detected unusual access to guest information through the login credentials of two employees at a franchised location. The company estimated that approximately 5.2 million guests’ personal data may have been compromised during this incident.
Earlier, in November 2018, Marriott reported another massive data breach affecting up to 383 million guests, where unencrypted passport numbers of around 5.25 million individuals were accessed along with credit card details for approximately 8.6 million customers. This breach was investigated by the FBI, which suspected that the hackers were linked to the Chinese Ministry of State Security.
Marriott’s settlements with both the FTC and the attorneys general require the company to take substantial steps to improve its data security. This includes implementing multi-factor authentication, network segmentation, and data encryption. Furthermore, the agreements stipulate that Marriott must undergo independent assessments of its information security program every two years and provide a mechanism for customers to request reviews of unauthorized activity related to their loyalty accounts.
Overall, the settlements reflect a growing scrutiny of corporate data security practices amid increasing cyber threats. Despite the financial penalty, Marriott’s revenue was reported to be approximately $23.71 billion in 2023, suggesting that the settlement is a manageable cost for the company as it works to enhance its cybersecurity measures.
The Associated Press, the Register, and ZD Net contributed to this report.
The latest news in your social feeds
Subscribe to our social media platforms to stay tuned