Introduction

In a significant development affecting millions of customers, Marriott International has agreed to pay a staggering $52 million settlement to 49 states and Washington, DC, following a series of data breaches that left more than 334 million individuals vulnerable between 2014 and 2020. This move marks one of the largest data breach settlements in recent history.

FTC Agreement

As part of a separate agreement with the Federal Trade Commission (FTC), Marriott, along with its subsidiary Starwood Hotels & Resorts Worldwide, is now mandated to implement a comprehensive information security program. This step is designed to address accusations relating to their poor security practices, which have jeopardized customer data on a massive scale.

"The FTC's decisive action, in partnership with states, is aimed at ensuring Marriott revamps its data security protocols across its global operations," stated Samuel Levine, the director of the FTC’s Bureau of Consumer Protection.

Misleading Security Claims

The FCC alleges that both Marriott and Starwood misled customers by asserting they had adequate security measures in place while, in reality, their systems were woefully inadequate. Specific shortcomings included a lack of effective password controls, failure to secure firewalls, and poor network segmentation. Alarmingly, they neglected to patch outdated software and systems, and multifactor authentication—a key security feature—was not deployed.

Major Breach Incident

Among the high-profile incidents, one breach revealed in 2020 involved hackers accessing approximately 20GB of sensitive employee and customer data from the BWI Airport Marriott in Baltimore. This critical data included confidential business documents and payment information, highlighting the serious risks associated with poor data security practices.

Settlement Details

As part of the settlement, Marriott is not only facing financial penalties but also must provide a pathway for all US customers to request the deletion of personal information linked to their email addresses or loyalty rewards account numbers. This includes access to sensitive data like passport information, credit and debit card details, dates of birth, and loyalty program numbers, all of which were exposed during the breaches.

Additionally, the hotel chain is required to audit rewards accounts and reinstate any stolen points at customers' request.

Industry Implications

This landmark case serves as a wake-up call for the hospitality industry and other sectors regarding the importance of robust cybersecurity measures. Customers should remain vigilant, regularly monitoring their accounts for unusual activity and taking proactive steps to protect their personal information. Marriott’s ongoing commitment to improving data security practices will be essential in restoring customer trust in the wake of these alarming breaches.