Marriott International has agreed to pay $52 million and implement enhanced data security measures to resolve state and federal claims related to significant data breaches affecting over 300 million customers globally.
The Federal Trade Commission (FTC) and a coalition of attorneys general from 49 states and the District of Columbia announced the terms of separate settlements with Marriott. These investigations focused on three data breaches that occurred between 2014 and 2020.
As a result of these breaches, malicious actors accessed passport information, payment card numbers, loyalty program numbers, birth dates, email addresses, and personal information of hundreds of millions of consumers, according to the FTC's proposed complaint.
The FTC alleged that Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, failed to secure their computer systems with appropriate password controls, network monitoring, or other practices to protect data.
Under the settlement with the FTC, Marriott has committed to implementing a robust information security program and will provide all U.S. customers with a means to request the deletion of any personal information linked to their email address or loyalty account number.
Additionally, Marriott has settled similar claims brought by the coalition of attorneys general. Beyond agreeing to strengthen its data security practices, the hotel operator will pay a $52 million penalty, which will be distributed among the states.
In a statement released on its website, Marriott, based in Bethesda, Maryland, noted that it made no admission of liability in its agreements with the FTC and the states. The company also stated that it has already implemented improvements in data privacy and information security.
In early 2020, Marriott discovered an unexpected amount of customer information had been accessed using the login credentials of two employees from a franchised property. At that time, the company estimated that personal data of around 5.2 million customers worldwide may have been affected.
In November 2018, Marriott announced a massive data breach in which hackers accessed information on nearly 383 million guests. In this case, Marriott reported that unencrypted passport numbers of at least 5.25 million customers were accessed, along with credit card information from 8.6 million customers. The affected hotel brands were operated by Starwood prior to its acquisition by Marriott in 2016.
The FBI conducted the investigation into this data theft, with investigators suspecting that the hackers were working on behalf of the Chinese Ministry of State Security, roughly equivalent to the CIA.