The U.S. Federal Trade Commission (FTC) has ordered hotel operator Marriott International to implement “robust” changes to its data security program in order to resolve state and federal claims related to multiple data breaches.
Marriott also agreed to pay a $52 million fine to 49 states and the District of Columbia to resolve similar data security allegations.
Three large data breaches occurred at Marriott and its subsidiary, Starwood Hotels and Resorts Worldwide, from 2014 to 2020, impacting more than 344 million customers worldwide, the FTC said in a statement on Wednesday.
The data breaches happened owing to the companies’ “failure to implement reasonable data security,” the commission said.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries.
It acquired Starwood in 2016.
The FTC said the first breach began in June 2014 and involved payment card information of more than 40,000 Starwood customers.
That breach went undetected for 14 months until Starwood notified customers in November 2015, just four days after Marriott announced it was acquiring Starwood, the commission said.
The second breach occurred around July 2014 and went undetected for more than four years, allowing hackers to access 339 million Starwood guest account records worldwide, including 5.25 million unencrypted passport numbers, the FTC said.
Marriott Fined $52 Million
During that breach, hackers accessed the guest records of 5.2 million people worldwide, including data from 1.8 million Americans. Those records included “significant amounts of personal information,” such as names, mailing addresses, email addresses, and phone numbers, the commission said.The FTC alleged the breaches happened because Marriott and Starwood failed to implement appropriate password controls, access controls, firewall controls, or fix outdated software and systems, among other things.
Under the settlement, Marriott and Starwood also agreed to provide their U.S. customers with a way to request the deletion of any personal information associated with their email address or loyalty rewards account number.
The two companies must also review loyalty rewards accounts upon customer request and restore stolen loyalty points, the FTC said.
“Companies have an obligation to take reasonable measures to protect consumer data security,” said Connecticut Attorney General Tong Co, who was among the attorneys general to bring a claim against Marriott over the data breaches. “Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests.”
Marriott said in a statement to multiple media after the settlement was announced that protecting guests’ personal data “remains a top priority” for the hotel operator.
“These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats,” said a spokesperson for the hotel giant.
Marriott noted it does not admit liability in its agreements with the FTC and the state attorneys general.
The Epoch Times contacted Marriott for further comment but didn’t receive a reply by publication time.
