Marriott International has agreed to pay $52 million and make changes to strengthen data security to resolve state and federal claims related to major data breaches that affected more than 300 million of its customers worldwide.
The Federal Trade Commission and a group of attorneys general from 49 states and the District of Columbia announced the terms of separate settlements with Marriott on Wednesday. The FTC and the states conducted parallel investigations into three data breaches, which occurred between 2014 and 2020.
As a result of the data breaches, “malicious actors” obtained passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information of hundreds of millions of consumers, according to the FTC’s proposed complaint.
The FTC alleged that Marriott and its subsidiary Starwood Hotels & Resorts Worldwide’s poor data security practices led to the breaches.
Specifically, the agency alleged that the hotel operator failed to secure its computer system with appropriate password controls, network monitoring, or other data protection practices.
As part of the proposed settlement with the FTC, Marriott agreed to “implement a robust information security program” and provide all its U.S. customers with a way to request that any personal information associated with their email address or loyalty rewards account number be deleted.
Marriott also settled similar claims by the attorneys general group. In addition to agreeing to strengthen its data security practices, the hotel operator will also pay a $52 million fine to be bifurcated by the states.
In a statement on its website Wednesday, Bethesda, Maryland-based Marriott noted that it has not admitted liability as part of its agreements with the FTC and states. It also said it has already implemented improvements in data privacy and information security.
Early 2020, Marriott noticed that an unexpected amount of guest information was being accessed using the login credentials of two employees of a franchise property. The company estimated at the time that the personal data was about 5.2. million guests worldwide could be affected.
In November 2018, Marriott announced a major data breach in which hackers gained access to information about as many as 383 million guests. In that case, Marriott said it accessed the unencrypted passport numbers of at least 5.25 million guests, as well as the credit card information of 8.6 million guests. The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016.
The FBI led the investigation into that data theft, and investigators suspected the hackers were working on behalf of China’s Ministry of State Security, the rough equivalent of the CIA.
