Introduction
Marriott International [1] [2] [3] [4] [5] [8] [9] [10] [11], Inc, a leading hotel chain, has been ordered to pay a $52 million penalty following a multistate settlement involving 50 US states and the District of Columbia. This settlement addresses significant information security failures, including major data breaches that compromised sensitive customer information globally [11].
Description
Hotel giant Marriott International [2] [7], Inc has been ordered to pay a $52 million penalty as part of a multistate settlement involving 50 US states, including Oregon [2] [4] [7], New York [2] [5], and New Jersey [9], as well as the District of Columbia. This settlement follows extensive investigations into two significant information security failures, including a major data breach that compromised sensitive customer information for approximately 131.5 million individuals in the United States and over 344 million globally. The breaches, which occurred over several years from July 2014 to September 2018 and continued through 2020, exposed a range of sensitive personal data, including names [4] [5] [7] [9] [10], addresses [3] [4] [7] [8] [9] [10] [11], email addresses [8] [11], phone numbers [11], dates of birth [1] [2] [4] [5] [8] [9] [10], gender [1] [2] [3] [4] [5] [7] [8], unencrypted passport numbers [1] [2] [3] [4] [5] [7] [9] [10] [11], unexpired payment card information [1] [2] [3] [4] [5] [7], loyalty program numbers, reservation details [2] [3] [4] [5] [7] [9], hotel stay preferences [1] [2] [3] [4] [5], and legacy Starwood Preferred Guest information [2] [4] [5].
The investigation [3] [4] [7] [9] [11], conducted by the Federal Trade Commission (FTC) and state attorneys general [7], revealed that Marriott failed to implement reasonable data security measures, leading to violations of state consumer protection and personal information protection laws [3] [7], including the New Jersey Consumer Fraud Act [9]. Significant security deficiencies were identified, such as inadequate password, access [1] [2] [5] [6] [7] [8] [9] [11], and firewall controls [7] [11], lack of network segmentation [11], failure to patch outdated software [11], and insufficient monitoring of network activity [11]. Notably, the first breach occurred in 2014 when unauthorized third-party malware accessed the guest reservation database of Starwood Hotels and Resorts Worldwide [9], a subsidiary of Marriott [2] [5]. Intruders remained undetected in the network for 14 months [9], exposing millions of unencrypted passport numbers and affecting Marriott’s internal network [11]. Additionally, a second incident involved attackers compromising employee credentials at a Marriott-franchised property [9], gaining access to Marriott’s network from September to December 2018 [9], and again from January to February 2020 [9], affecting over 5.2 million guest records [1] [7] [9], including 1.8 million related to US consumers [9].
As part of the settlement [2] [3] [4] [7], which is pending court approval [1], Marriott is required to enhance its cybersecurity practices through a comprehensive Information Security Program based on a dynamic risk-based approach and zero trust principles. This includes conducting annual risk assessments, ongoing risk analyses [10], and improving employee training on data handling [1]. The company must also implement data deletion and minimization policies, provide consumer protections such as account monitoring and multi-factor authentication for loyalty rewards accounts [3] [10], and ensure timely termination of former employees’ accounts. Furthermore, guests will have a mechanism to request the deletion of their personal information [8].
Marriott is also mandated to address security deficiencies in any future corporate acquisitions [10], acknowledging that vulnerabilities in Starwood’s system were neglected for two years after the acquisition [10]. The company must increase oversight of vendors and franchisees [1], assess the information security of any acquired entities [2], and conduct regular security reporting to its board and senior management [7]. Independent third-party assessments of its information security program will be required every two years for the next 20 years.
The FTC accused Marriott and Starwood of misleading consumers regarding their data security practices [7], citing failures in various security controls. Under the proposed order [7], the companies will be prohibited from misrepresenting their data handling practices [7]. Marriott has stated that it makes no admission of liability regarding the allegations and is already implementing enhancements to its data privacy and information security programs [7], emphasizing its commitment to protecting guests’ personal data [7]. As part of the settlement [2] [3] [4] [7], Illinois will receive $2.1 million, New York will receive $2.29 million [9], Tennessee will receive $919,043 [4], and New Jersey will receive over $1.3 million [9], with the overall aim of providing affected individuals with specific protections and improving overall data security practices.
Conclusion
The settlement underscores the critical importance of robust data security measures in protecting consumer information. Marriott’s commitment to enhancing its cybersecurity practices [4], including adopting a risk-based approach and zero trust principles, is a significant step toward mitigating future risks. The company’s obligation to address security deficiencies in future acquisitions and the requirement for regular third-party assessments highlight the ongoing need for vigilance in data protection. This case serves as a reminder to all organizations of the potential consequences of inadequate data security and the necessity of maintaining consumer trust through transparent and effective data handling practices.
References
[1] https://www.mass.gov/news/ag-campbell-announces-52-million-settlement-with-marriott-for-breach-of-guest-reservation-database
[2] https://www.claimsjournal.com/news/national/2024/10/09/326737.htm
[3] https://illinoisattorneygeneral.gov/news/story/attorney-general-raoul-announces-52-million-settlement-agreement-with-marriott-for-data-breach-of-starwood-reservation-database
[4] https://www.tn.gov/attorneygeneral/news/2024/10/9/pr24-73.html
[5] https://www.aol.com/marriott-data-breach-settlement-yorkers-084510017.html
[6] https://www.oregonlive.com/business/2024/10/marriott-settles-yearslong-data-breach-with-52m-for-oregon-other-states-heres-what-to-do.html
[7] https://www.infosecurity-magazine.com/news/marriott-settlement-massive-data/
[8] https://www.engadget.com/cybersecurity/marriott-reaches-52-million-settlement-over-years-of-data-breaches-181327146.html
[9] https://wrnjradio.com/ag-platkin-multistate-coalition-announce-52m-settlement-for-marriott-starwood-data-breaches/
[10] https://www.doj.state.or.us/media-home/news-media-releases/ag-rosenblum-announces-52-million-national-data-breach-settlement-with-marriott-2-1-million-to-go-to-oregon/
[11] https://www.techtarget.com/searchSecurity/news/366613513/FTC-orders-Marriott-to-pay-52M-and-enhance-security-practices