Marriott Agrees To Pay $52 Million Penalty, Boost Security After Data Breaches

Marriott International has agreed to pay $52 million and implement necessary changes to its data security system in an effort to settle both state and federal claims following major data breaches that impacted more than 300 million of its customers around the globe. The data breaches took place from 2014 to 2020.

The Federal Trade Commission (FTC), attorneys general from 49 states, and the District of Columbia, reached separate settlement agreements with the hotel giant on Wednesday, Reuters reported. Both the FTC and the states conducted investigations into three data breaches during which hackers compromised sensitive customer information.

The Associated Press, citing the FTC's proposed complaint, reported that these "malicious actors" obtained sensitive information of the hotel chain's hundreds of million of customers such as their passport information, payment card numbers, email addresses, dates of birth, and other personal information.

The FTC alleged that Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, were responsible for the breaches due to inadequate data security measures. The commission indicated that the hotel operator failed to implement sufficient data protection, password controls, and network monitoring.

In Marriott's proposed settlement with the agency, the hotel-chain agreed to implement a tighter security program and offer all of its U.S. customers an option to request the deletion of any personal information linked to their email address or loyalty rewards account number.

"To settle the FTC's case, Marriott and Starwood have agreed to a proposed order that will require them to implement processes and checks designed to prevent future problems by protecting personal information, detecting problems as they arise, and fixing any issues in a timely manner," a business guidance from the FTC revealed.

The hotel chain also settled similar claims brought by 49 states and the District of Columbia. Besides boosting its data security practices, Marriott also will pay $52 million penalty to be split by the states.

According to the AP report, Bethesda, Maryland-based Marriott, did not admit to any liability as part of its agreement with the two complainants.

In 2020, Marriott discovered that a significant volume of guest information was accessed using the credentials of two employees at a franchised property, estimating that the data of approximately 5.2 million guests worldwide may have been affected.

In November 2018, the hotel chain disclosed a massive breach affecting roughly 383 million guests, during which unencrypted passport numbers for at least 5.25 million guests were accessed, along with credit card information for 8.6 million guests. The compromised hotel brands were operated by Starwood prior to its acquisition by Marriott in 2016.

The breach prompted an FBI investigation, which reported that the suspected hackers were linked to the Chinese Ministry of State Security.