Incident & Breach Response , Legislation & Litigation , Security Operations

Marriott Pays $52M to Settle US States' Breach Litigation

World's Biggest Hotel Chain Also Settles with Federal Trade Commission
Marriott Pays $52M to Settle US States' Breach Litigation
Image: Shutterstock

The world's largest hotel chain agreed Wednesday to pay $52 million and submit to two decades of third-party monitoring of its cybersecurity program to settle probes into a rash of data breaches affecting millions of guests.

See Also: Cyber Insurance Assessment Readiness Checklist

The multimillion-dollar payout is part of a settlement reached with 50 U.S. attorneys general - 49 states plus the District of Columbia. A consent order with the Federal Trade Commission requires two decades' worth of cybersecurity program assessments made by an outside assessor. The settlements all require final approval, whether from state judges or another round of voting from FTC commissioners, in steps that typically amount to formalities.

"Companies have an obligation to take reasonable measures to protect consumer data security. Marriott clearly failed to do that," said Connecticut Attorney General William Tong, who co-led the coalition of state attorneys general.

Maryland-based Marriott has been mired in data breach litigation almost continuously since 2018 after uncovering hackers in the reservation system bundled with its acquisition of the Starwood luxury chain in September 2016. Further investigation showed the hackers - reportedly part of a Chinese cyberespionage operation - first gained access to the system in July 2014. A final tally of the impact calculated that 133.7 million hotel guests were caught up in the breach, which also exposed unencrypted passport numbers of 5.25 million individuals. The FTC in an administrative complaint said hackers installed keyloggers, memory-scraping malware and remote access Trojans in "over 480 systems across 58 locations within the Starwood environment," including in the corporate network, data center, customer contact center and hotel locations.

Marriott divulged another data breach in March 2020, disclosing that hackers infiltrated its network in an incident affecting 5.2 million guests. Stolen data included personally identifying information such as names, emails, phone numbers and birthdays.

The FTC consent agreement also encompasses a breach detected by Starwood in November 2015. Over a 14-month period, hackers compromised unprotected administrative accounts and installed malware in systems at more than 100 hotels, extracting full payment card data.

In a statement, Marriott said it is making no admission of liability in the settlements. "Protecting guests' personal data remains a top priority for Marriott," the company asserted.

As part of its agreement with state attorneys general, Marriott must embrace zero trust principles "where reasonably feasible." It must also contractually require enhanced cybersecurity controls for "critical IT vendors" including cloud computing providers.

The FTC settlement requires the company to limit its data collection by retaining data only as long as necessary to fulfill its purpose. The hotel chain also must offer consumers an easy way to delete their personal information from corporate databases.

The two agreements require Marriott to establish a portal for consumers to request a review of their loyalty rewards account for any suspicious activity that might have occurred over the previous 12 months.

Putative class action litigation stemming from the 2018 breach continues in federal court. A U.S. District of Maryland judge granted the lawsuit class-action status in 2022, but an appeals court in August 2023 vacated that decision and remanded the case back to the district to further consider the effects of a class-action waiver signed by hotel guests.

Marriott paid a $24 million fine in 2020 to British data protection authorities, imposed under the U.K. General Data Protection Regulation, for the 2018 breach (see: Marriott Hit With $24 Million GDPR Privacy Fine Over Breach).


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.