Marriott Agrees To Pay $52 Million To Settle Data Breaches

The financial implications of a data breach has been exposed, after Marriott International agreed to pay millions of dollars to settle multiple claims from US agencies.

The Associated Press reported that Marriott has agreed to pay $52 million and make changes to bolster its data security. This is to settle claims from US states and federal agencies over the data breaches that exposed the personal data of hundreds of millions of people worldwide.

Marriott was rocked by three notable data breaches over the past decade, starting in 2014, and has been fined by data protection watchdogs and hit by lawsuits around the world as a result.

Data Breaches

A “colossal” hack on Marriott International had been first revealed back in December 2018, and it affected the personal details and payment card data on up to 340 million people – dating back to 2014.

The data breach happened when the systems of the Starwood Hotels Group were compromised in 2014.

Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018.

Unfortunately for the hotel chain, in April 2020 Marriott confirmed a second data breach, that had compromised the personal data of roughly 5.2 million guests around the world.

Then in July 2022 Marriot admitted a third data breach, after hackers gained access to a server at the Marriott hotel at Baltimore-Washington International Airport in Maryland.

Those hackers were able to steal 20GB of data including some credit card info and confidential information.

US settlement payment

The AP reported that both the US Federal Trade Commission and a group of attorneys general from 49 states and the District of Columbia announced the terms of separate settlements with Marriott on Wednesday.

The FTC and the states ran parallel investigations into the three data breaches, which resulted in “malicious actors” obtaining the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information from hundreds of millions of consumers, the FTC’s proposed complaint stated.

The FTC claimed that Marriott and subsidiary Starwood Hotels & Resorts Worldwide’s poor data security practices led to the breaches.

Specifically, the agency alleged that the hotel operator failed to secure its computer system with appropriate password controls, network monitoring or other practices to safeguard data.

As part of its proposed settlement with the FTC, Marriott agreed to “implement a robust information security program” and provide all of its US customers with a way to request that any personal information associated with their email address or loyalty rewards account number be deleted.

Marriott also settled similar claims brought by the group of attorneys general. In addition to agreeing to strengthen its data security practices, the hotel operator will also pay a $52 million penalty to be split by the states.

Marriott response

Bethesda, Maryland-based Marriott issued a statement on its website that it made no admission of liability and also indicated the hotel chain has already put in place data privacy and information security enhancements.

“Marriott International Inc has reached final resolutions with the Federal Trade Commission (FTC) and 49 U.S. State Attorneys General and the District of Columbia in relation to the 2018 Starwood Hotels and Resorts Worldwide guest reservations database security incident,” it said.

“The resolution with the State Attorneys General includes an agreement to pay $52 million. As indicated in the agreements with the FTC and the State Attorneys General, Marriott makes no admission of liability with respect to the underlying allegations.”

“As part of the resolutions with the FTC and the State Attorneys General, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress,” it said.

“Protecting guests’ personal data remains a top priority for Marriott,” it concluded.