Marriott required to pay $52 million, beef up information security in wake of data breaches

The Federal Trade Commission (FTC) will require Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to strengthen their information security in order to resolve charges that poor past practices led to three major data breaches.

Those breaches, which occurred between 2014 and 2020, impacted more than 344 million customers worldwide, the FTC said in a press release.

Marriott also agreed on Wednesday to pay $52 million to 49 states and the District of Columbia to resolve similar allegations. The FTC did not have legal authority to obtain civil penalties, but worked closely with state regulators on the probe, the agency said.

Under the terms of the proposed FTC settlement, Marriott and Starwood have agreed to give American customers a way to ask that their personal information be erased, the FTC said.

In addition to strengthening their overall security posture, and certifying their compliance with their new security regime for 20 years, Marriott also will now only retain customer data for as long as is “reasonably necessary to fulfill the purpose for which it was collected,” according to the FTC.  

The information security program required by the settlement will be subject to an independent, third-party assessment every two years.

The hotel chains will additionally be required to review rewards accounts upon request and, in some cases, restore loyalty points when customers report that they have been stolen. 

Marriott manages and franchises more than 7,000 properties throughout the U.S. and in more than 130 countries. The massive hotel chain acquired Starwood in 2016 and then became responsible for its data security as well.

Marriott and Starwood allegedly failed to use “appropriate” password controls, access controls, firewall controls, or network segmentation; to patch software and systems in a timely manner; to “adequately” log and monitor network environments; and to deploy appropriate multi-factor authentication, according to the press release.

As a result, hackers allegedly accessed passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and additional personal information from hundreds of millions of consumers, according to the FTC’s complaint.

The first breach beginning in June 2014 allegedly went undetected for 14 months, the FTC said. The second breach allegedly began around July 2014 and was undiscovered until September 2018. Both of these breaches affected Starwood customers and occurred before Marriott took ownership of the chain.

Hackers accessed 339 million Starwood guest account records worldwide, including 5.25 million unencrypted passport numbers, the FTC press release said.

The third alleged breach, which impacted Marriott’s network, was not detected until February 2020, 17 months after it began, according to the agency. 

In the latter breach, hackers allegedly accessed 5.2 million guest records globally, including data from 1.8 million Americans. Names, mailing addresses, email addresses, phone numbers, month and day of birth, and loyalty account information were exposed, the FTC said.

Marriott only acknowledged the 2018 hack, which impacted its own networks as opposed to Starwood’s, in a press release it posted to its website Wednesday.

The hotel giant said it “makes no admission of liability with respect to the underlying allegations,” in the press release.

Marriott will make data privacy and information security program improvements, the release said, noting that many are already “in place or in progress.”

“Protecting guests’ personal data remains a top priority for Marriott,” the press release said. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”