Marriott settles with states for $52 million over 2018 data breach at Starwood

Marriott International has agreed to a settlement with the Federal Trade Commission and 50 state attorneys general over a series of data breaches at a subsidiary of its guest reservation system.

Marriott will pay $52 million to settle charges brought by 50 attorneys general over a data breach that exposed the information of hundreds of millions of customers, according to multiple state filings. According to the states, their allegations involve a breach that began in 2014 at Starwood Hotels but was not detected until September 2018. Marriott acquired Starwood in 2016.

“Marriott let cybercriminals live in its database for years, and millions of people had their information stolen. Protecting private customer information should be a top priority, not a last resort, for all businesses.” New York Attorney General Letitia James said in a statement.

Attorneys general began an investigation into the hotel chain after the data breach, alleging that Marriott violated state consumer protection, personal information protection and breach notification laws.

New York will receive nearly $2.3 million from the settlement. Payments to states vary. In Ohio, which will receive $1.5 million, Attorney General Dave Yost added that attorneys general are “holding the company accountable and making sure they put tools in place to prevent repeat performance.”

Marriott, while not admitting any liability, said it would continue to improve its privacy and information security programs, “many of which are already in place or underway.”

“The protection of guests’ personal data remains a top priority for Marriott,” the company said in a statement. “These resolutions reaffirm the company’s continued focus and significant investment in maintaining and adapting its programs and systems to assess, identify and manage risks posed by evolving cybersecurity threats.”

The FTC, which worked with the states on the case, pointed to three data breaches — two that occurred at Starwood before Marriott’s formal acquisition. The first began in 2014 and involved the payment card information of around 40,000 people. It was not detected until a few days before an announcement about the Marriott acquisition. The second data breach in 2104 and remained undetected until 2018. This breach exposed nearly 340 million Starwood guest records, including millions of passport numbers.

The FTC said the third breach occurred between September 2018 and February 2020 at Marriott. Hackers accessed 5.2 million guest records worldwide, including 1.8 million in the US

The commission said Marriot agreed to retain personal information only as long as “reasonably necessary,” certify compliance with its information security programs to the FTC annually for 20 years, reinstate loyalty points by hackers and allow customers to request deletion of personal information. .

TOPICS
Cyber