Marriott settles $52 million with 50 state AGs over data breach

New York Attorney General Letitia James announced a $52 million multi-state settlement with Marriott International Inc. on Wednesday. for a one-year data breach of one of our guest reservation databases.

One of Marriott’s subsidiaries, Starwood Hotels and Resorts Worldwide, had intruders in its system for four years without detection, according to a multi-state investigation. This reportedly led to a data breach that affected 131.5 million customers nationwide.

The settlement with 50 attorneys general requires Marriott to review and strengthen its data security to protect private customer information and pay $52 million in penalties.

A multi-state investigation found that from July 2014 to September 2018, intruders accessed and remained in Starwood’s databases undetected. The data theft affected people across the country and exposed personal information, including contact information, gender, dates of birth, old Starwood Preferred Guest information, reservation information and hotel stay preferences, as well as a limited number of unencrypted passports and unexpired payment card. information, according to investigators.

According to the agreement, some steps Marriott must take to strengthen its cybersecurity practices include:

• An independent third-party evaluation of Marriott’s information security program every two years for a period of 20 years.
• Data minimization and elimination requirements that result in the collection and retention of less customer data.
• Implementing a comprehensive information security program, including regular security reporting to the highest levels within the company.
• Increased oversight of suppliers and franchisees, with a focus on risk assessments for critical IT suppliers and clearly defined contracts with cloud providers.
• If Marriott acquires another entity, it must promptly assess the information security program of the acquired entity and develop plans to address deficiencies as part of integration into the Marriott network.

The agreement also requires Marriott to allow customers to delete their data stored at the hotel if they wish. Marriott must also provide customers with multi-factor authentication for their loyalty rewards accounts and conduct reviews of these accounts to ensure there is no suspicious activity.

The settlement includes the attorneys general of Alabama, Alaska, Arizona, Arkansas, Connecticut, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi , Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, Wyoming, Vermont and the District of Columbia.