Dive Brief:
- Marriott International agreed to bolster its information security practices to settle charges stemming from three data breaches that impacted a combined 344 million people worldwide between 2014 and 2020, the Federal Trade Commission said Wednesday in a proposed settlement.
- The world’s largest hotel company will also provide all U.S. customers a way to request their personal information be deleted. In a separate settlement, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security violation allegations.
- “Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. The FTC and numerous state officials worked together on the investigation.
Dive Insight:
Many of the data privacy and security improvements Marriott agreed to as part of the settlements are already in place or in progress, the company said in a Wednesday statement.
“Marriott makes no admission of liability with respect to the underlying allegations,” the company said. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
The settlements cap a period marked by a pattern of major data breaches at Marriott and its subsidiary Starwood Hotels and Resorts Worldwide over the last decade.
The first data breach during this period began in June 2014 and went undetected for over a year until the payment card information of more than 40,000 customers was exposed in November 2015, four days after Marriott announced its plan to acquire the company, the FTC said.
Another attack that began in July 2014, one of the worst data breaches on record, hit the reservation system for Starwood two years before Marriott completed its acquisition of the company, forming the largest hotel chain globally. The attack, which exposed 339 million Starwood customer records, went undetected for almost four years, according to the FTC.
Marriott disclosed another data breach in March 2020 that exposed account details on up to 5.2 million Marriott guests. This attack went undetected from September 2018 to February 2020, the FTC said.
Marriott was later hit by a social engineering attack in 2022 that exposed non-sensitive internal business files regarding the property’s operations. The 2022 incident was not part of the FTC or states’ settlements.
The FTC said Marriott and Starwood “deceived consumers by claiming to have reasonable and appropriate data security.”
The federal agency alleges Marriott and Starwood failed to implement appropriate password controls, access controls, firewall controls or network segmentation. The complaint further alleges the companies failed to patch outdated software and systems, adequately log and monitor network environments, and deploy adequate multifactor authentication.
The FTC settlement requires Marriott to certify compliance in maintaining a comprehensive information security program with the FTC annually for 20 years. The agreement also calls for Marriott to undergo an independent, third-party assessment of its security program every two years.