Marriott agrees to pay US states and FTC $52m over data breaches
Hotel group Marriott International is to pay $52m to settle charges in the US related to a data breaches involving hundreds of millions of customers.
The charges were made by the Federal Trade Commission (FTC) and attorney generals from 50 US states over three separate breaches between 2014 and 2020.
The FTC alleges that the personal details – including passport information, payment card numbers, loyalty scheme details, email addresses and dates of birth – of around 300 million customers were obtained by “malicious actors”.
According to the FTC, the first data breach began in 2014 and involved Starwood Hotels, which was acquired by Marriott in 2016. While one breach was discovered shortly before the acquisition was announced, another breach was not discovered until 2018.
A third breach then took place in 2018 and remained undetected until 2020.
“Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result,” said New York attorney general Letitia James. “Protecting customers’ private information should be a top priority, not a last resort, for all companies.”
Marriott has also agreed to bolster its cyber security as part of the settlement. According to the FTC, Marriott and its subsidiary Starwood Hotels & Resorts Worldwide exhibited poor data security practices and failed to secure its computers with suitable passwords or network monitoring.
Marriott stated that it will “implement a robust information security programme” and also provide all of its US customers with the option to have their personal information deleted.
The hotel operator said it has already put in place some information security enhancements while making no admission of liability as part of the agreement struck with states and the FTC.
“Protecting guests’ personal data remains a top priority for Marriott,” the company said in a statement. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programmes and systems to assess, identify, and manage risks from evolving cybersecurity threats.”