Marriott International agreed to pay $52 million and make changes to strengthen its data security to resolve state and federal claims related to major data breaches that affected more than 300 million of its guests worldwide .
The Federal Trade Commission and a group of attorneys general from 49 states and the District of Columbia announced terms of separate settlements with Marriott on Wednesday. The FTC and the states conducted parallel investigations into three data breaches, which occurred between 2014 and 2020.
As a result of the data breaches, “malicious actors” obtained the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information of hundreds of millions of consumers, according to the complaint proposed by the FTC.
The FTC claimed that poor data security practices by Marriott and its subsidiary Starwood Hotels & Resorts Worldwide led to the breaches.
Specifically, the agency alleged that the hotel operator failed to secure its computer system with appropriate password controls, network monitoring or other practices to protect data.
As part of its proposed settlement with the FTC, Marriott agreed to “implement a robust information security program” and provide all of its U.S. customers with a way to request that any personal information associated with their email address email or their loyalty rewards account number is deleted.
Marriott also settled similar claims filed by the attorneys general group. In addition to agreeing to strengthen its data security practices, the hotel operator will also pay a $52 million penalty that will be distributed among the states.
In a statement posted on its website Wednesday, Bethesda, Md.-based Marriott said it has made no acknowledgment of liability under its agreements with the FTC and states. It also said it has already implemented data privacy and information security improvements.
In early 2020, Marriott noticed that an unexpected amount of guest information had been accessed using the login credentials of two employees at a franchise property. At the time, the company estimated personal data to be around 5.2. Millions of customers worldwide may have been affected.
In November 2018, Marriott announced a massive data breach in which hackers accessed information on as many as 383 million guests. In this case, Marriott said the unencrypted passport numbers of at least 5.25 million guests were accessed, as well as the credit card information of 8.6 million guests. The affected hotel brands were operated by Starwood before its acquisition by Marriott in 2016.
The FBI led the investigation into the data theft, and investigators suspected the hackers were working on behalf of China’s Ministry of State Security, the rough equivalent of the CIA.
