Marriott International has agreed to a significant $52 million settlement with the Federal Trade Commission (FTC) and 50 state attorneys general regarding a series of data breaches affecting its Starwood Hotels subsidiary. This breach, which originated in 2014 and was discovered in September 2018, compromised sensitive information of hundreds of millions of customers, raising serious concerns about the company’s data protection practices. The investigation revealed that Marriott allowed cybercriminals to access its database for several years, which resulted in extensive personal information theft.
The FTC’s inquiry identified three major breaches, two of which occurred prior to Marriott’s acquisition of Starwood in 2016. The first breach began in 2014 and involved the payment card data of around 40,000 customers, remaining undetected until just days before the acquisition announcement. The second breach also originated in 2014, impacting nearly 340 million Starwood guest records, including passport numbers. Additionally, a third breach occurred from September 2018 to February 2020, compromising 5.2 million guest records globally, with a significant number in the United States.
As part of the settlement, Marriott will not admit liability but has committed to improving its data privacy and security measures. The company emphasized its ongoing focus on protecting guest data and will implement several new practices. This includes retaining personal information only as long as necessary, certifying compliance with its information security programs annually to the FTC for the next 20 years, and restoring loyalty points that were compromised in the breaches.
The case underscores the critical importance of robust cybersecurity measures, especially for large corporations handling vast amounts of sensitive customer data. New York Attorney General Letitia James highlighted the necessity for companies to prioritize the protection of customer information as a fundamental aspect of their operations. With varying settlements distributed among the states, the outcome of this case serves as a reminder for organizations to remain vigilant against evolving cybersecurity threats and to ensure their data protection practices are both effective and compliant with legal standards.