Marriott has agreed to a $52 million settlement with 49 states and Washington, DC, following a series of data breaches that compromised the personal information of over 334 million customers between 2014 and 2020.
In addition to this, the Federal Trade Commission (FTC) has mandated that Marriott, along with its subsidiary Starwood Hotels & Resorts, implement a comprehensive information security program to address its security shortcomings.
According to Samuel Levine, director of the FTC’s Bureau of Consumer Protection, “Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.” The FTC’s coordinated action with state partners aims to enforce stronger data protection practices across Marriott’s global operations.
The FTC’s investigation revealed that Marriott misled customers about the strength of its data security measures, leaving sensitive information exposed. Specific failures included inadequate password controls, outdated software, lack of network segmentation, and absence of multifactor authentication. One notable breach in 2020 saw hackers steal 20GB of sensitive data from the BWI Airport Marriott in Baltimore, including business documents and customer payment information.
As part of the settlement, Marriott will offer US customers the option to request deletion of personal data linked to their email addresses or loyalty accounts. Customers whose rewards points were stolen in the breaches can also request the restoration of their points. This move is intended to provide restitution and enhance Marriott’s accountability in safeguarding customer information.
