Marriott International has reached an agreement to pay $52 million and implement enhancements in its data security protocols in response to federal and state allegations concerning significant data breaches that impacted over 300 million customers globally.
On Wednesday, the Federal Trade Commission (FTC) alongside attorneys general from 49 states and the District of Columbia revealed the specifics of separate settlements with Marriott. These entities conducted concurrent investigations into three separate data breaches occurring between 2014 and 2020.
The breaches allowed “malicious actors” to gain access to sensitive customer information, including passport details, payment card numbers, loyalty account numbers, dates of birth, email addresses, and other personal data, as indicated in the FTC’s proposed complaint.
The FTC asserted that Marriott, along with its subsidiary, Starwood Hotels & Resorts Worldwide, exhibited inadequate data protection measures which contributed to the breaches.
It was specifically noted that the hotel chain failed to properly secure its computer systems through effective password management, network surveillance, and other necessary data protection practices.
As part of its settlement with the FTC, Marriott has committed to establishing a comprehensive information security strategy and will allow all U.S. customers the option to request the deletion of any personal data linked to their email addresses or loyalty accounts.
In addition, Marriott has addressed similar claims from the group of attorneys general, consenting not only to fortify its data security measures but also to pay a $52 million fine that will be distributed among the states involved.
In a statement posted on its website on Wednesday, the Bethesda, Maryland-based company emphasized that it did not admit to any wrongdoing within the context of its agreements with the FTC and the states, while asserting that it has already begun implementing significant improvements to its data privacy and information security systems.
The company first discovered unauthorized access to guest information in early 2020 when login credentials belonging to two employees at a franchised location were compromised. At that time, Marriott estimated that the personal details of roughly 5.2 million guests worldwide could have been affected.
Previously, in November 2018, Marriott had disclosed a massive data breach in which hackers were believed to have accessed the records of up to 383 million guests. In that incident, unencrypted passport information of at least 5.25 million guests and credit card data of 8.6 million guests were reportedly compromised. This breach involved hotel brands that were managed by Starwood before Marriott’s acquisition in 2016.
The FBI spearheaded the inquiry into that data theft and had reasons to suspect that the attackers were affiliated with the Chinese Ministry of State Security – an entity that roughly parallels the CIA in the United States.
