Marriott reaches $52 million settlement over years of data breaches
The FTC is also requiring a security overhaul.
Marriott International is being taken to task after the hotel chain suffered multiple data breaches that exposed sensitive information for more than 344 million customers around the world. First, Marriott agreed to a settlement of $52 million with a group of 50 US attorneys general. According to Connecticut Attorney General William Tong, 131.5 million hotel customers in the states had their information compromised in the attacks on the hotels.
Second, a settlement with the Federal Trade Commission will require Marriott and its Starwood Hotels & Resorts subsidiary to implement a new information security system to protect against future data exposures. The FTC agreement includes measures such as data minimization, account review tools for its loyalty rewards programs and a link for guests to request deletion of their personal information.
Today's settlements center on three separate data breaches at Marriott and Starwood between 2014 and 2020 that allowed malicious actors to access passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and other personal information. But cybersecurity issues have been an ongoing concern for these two businesses over the past decade. Hackers used "social engineering techniques" to access an employee computer and steal about 20GB of customer data. Marriott was also part of a larger attack on Pyramid Hotel Group in 2019. Starwood was victim of a data breach discovered in 2018; the company faced a fine of about $127.3 million in the UK for that incident.