Article Details

Marriott settles with FTC, to pay $52 million over data breaches. Marriott International and its subsidiary Starwood Hotels will pay $52 million and create a comprehensive information security program as part of settlements for data breaches that impacted over 344 million customers. The settlement requires Marriott and Starwood to implement a comprehensive security program and allow their U.S. customers to request personal data deletions. Additionally, the American hospitality giant has agreed to pay $52,000,000 to 49 states to resolve claims related to the data breaches. Marriot's many data breaches Marriott International is a hospitality company that manages and franchises a vast portfolio of hotels and lodging facilities, operating more than 7,000 properties across 130 countries. Starwood was an American hotel and leisure company until its acquisition by Marriott in 2016, making the latter responsible for data security and related hotel operations. FTC's announcement highlights three cases where Marriott failed to safeguard its customers' information. In June 2014, Starwood suffered a data breach where the payment card information of many of its customers was exposed. The breach was discovered and publicly disclosed 14 months later, leaving impacted clients exposed to elevated risks for over a year. The second incident concerns hackers accessing 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. That breach occurred in July 2014 but was detected in September 2018, again leaving clients exposed for a multi-year period. The third breach impacted Marriott itself, where malicious actors accessed the records of 5.2 million guests in September 2018. The exposed data included names, email addresses, postal addresses, phone numbers, dates of birth, and loyalty account information. In this case, too, it took Marriott until February 2020 to discover the compromise and inform its clients accordingly. The settlement The FTC accuses the two companies of misleading consumers about their data security practices and outlined failures such as poor password controls, outdated software, and lack of appropriate monitoring of its IT environment. As part of the settlement agreement, Marriott and its subsidiary Starwood will now have to implement the following measures: Marriott has also reached a separate settlement announced simultaneously with 49 states and the District of Columbia, agreeing to pay $52,000,000 to resolve allegations and claims related to the above security incidents.