Marriott agrees to pay $52 million in compensation for data breaches.
The company must also replenish the loyalty points that were stolen from customers.
Marriott has reached an agreement to pay $52 million as compensation to 49 states and Washington, D.C., due to a series of security breaches that occurred between 2014 and 2020, which affected over 334 million customers. As part of an additional settlement, the Federal Trade Commission (FTC) has also required Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, to implement an information security program to address the allegations related to these data breaches.
Samuel Levine, director of the FTC's Consumer Protection Bureau, stated that "Marriott's inadequate security practices led to multiple breaches that affected hundreds of millions of customers." According to him, the action taken by the FTC in conjunction with state authorities aims to ensure that Marriott improves its data security practices at its hotels around the world.
The FTC asserts that Marriott and Starwood, acquired in 2016, misled their customers by claiming they had adequate and reasonable data security measures when they actually left them vulnerable to attacks. The FTC's complaint alleges that Marriott failed to implement appropriate password controls, did not establish firewalls, and did not properly segment networks. Furthermore, the company did not update outdated software and systems and did not apply multi-factor authentication, according to the FTC.
A specific case, discovered in 2020, involved the theft of nearly 20GB of data from employees and customers of the Marriott at BWI Airport in Baltimore, Maryland. This information included confidential business documents and customer payment data, such as credit card authorization forms.
As part of the settlement, Marriott has agreed to provide all customers in the U.S. with a way to request the deletion of any personal information linked to their email addresses or reward account numbers. The FTC reports that the data exposed during the breaches included passport information, credit and debit card numbers, birth dates, email addresses, loyalty numbers, among others. Marriott must also review reward accounts and restore stolen points to customers upon request.