Marriott has agreed to pay $52 million dollars and implement new consumer data protections to settle investigations by attorneys general from 49 states and the Federal Trade Commission, following data breaches that occurred between 2015 and 2020.
The First Breach
In November 2015, Starwood Hotels, a former competitor that Marriott later acquired, notified its customers that it had experienced a 14-month long data breach. As early as June 2014, a cyber hacker breached Starwood’s computer network and compromised unprotected administrative accounts and credentials to install malware at over 100 Starwood hotels. The hackers gained access to customers’ payment card information, including full name, payment card number, expiration date, and security code. A forensic examination found that inadequate firewalls and network segmentation, insufficient access controls, the use of outdated and unsupported software and the lack of multifactor authentication contributed to the breach.
The Second Breach
In July 2014, hackers installed malware on Starwood’s external-facing webserver and subsequently gained access to Starwood’s internal network for nearly four years. Marriott did not discover the intrusion until September 7, 2018. The hackers extracted confidential information from Starwood’s system. A forensic examination determined that inadequate firewall controls, unencrypted payment card information stored outside of the secure cardholder data environment, lack of multifactor authentication, and inadequate monitoring and logging practices contributed to the data breach. They also accessed personal information of hundreds of millions of customers, including unencrypted passport numbers, names, gender, dates of birth, payment card numbers, addresses, email addresses, telephone numbers, usernames, Starwood loyalty numbers, partner loyalty program numbers, and hotel stays and other travel data. This travel data included the location of hotel stays, duration of stays, number of children and guests, and flight information.
The Third Breach
From September 2018 to December 2018, and again in early 2020, hackers compromised the credentials of employees at a Marriott hotel, gained access to Marriott’s network, and obtained customers’ personal information. The hackers accessed more than 5.2 million guest records, including names, mailing addresses, email addresses, phone numbers, affiliated companies, gender, month and day of birth, Marriott loyalty account information, partner loyalty program numbers, and hotel stay and room preferences.
The States and The FTC Investigate
After the data breaches were announced, attorneys general from forty-nine states (California did not participate) and the District of Columbia as well as the Federal Trade Commission began investigating Marriott for the data breaches. The states and the FTC determined that Marriott violated multiple consumer protection laws and rules by failing to implement reasonable data security practices and by failing to remediate the data security deficiencies when Marriott acquired Starwood. The FTC alleged that Marriott falsely claimed to use appropriate safeguards to protect consumers’ personal information, while failing to do so. The FTC further alleged that Marriott failed to employ reasonable security measures to protect consumers’ personal information and therefore engaged in unfair or deceptive acts or practices in violation of the Federal Trade Commission Act.
The Settlement
Marriott agreed to pay the States $52 million dollars and to compensate Marriott customers. Marriott customers can:
-
- Ask to review their Marriott Bonvoy account for unauthorized, suspicious activity. If, after an investigation, Marriott determines their loyalty points were stolen through unauthorized access to their account, Marriott will restore their stolen points.
- Request that Marriot delete their personal information associated with their email address or Marriot Bonvoy account number.
- Enable multi-factor authentication on their Marriott Bonvoy account to add an extra layer of security.
Additionally, Marriott must implement additional data protection safeguards including:
-
- Executing a comprehensive information security program that includes multi-factor authentication, encryption, and other safeguards.
- Cooperating with third-party audits to assess its information security program.
- Only collecting and keeping personal information if it has a business need for it.
- Using the collected information solely for its intended purpose.
- Deleting collected information when it is no longer needed.
- Not using information that customers requested Marriott delete for marketing purposes.
Takeaways
This settlement highlights the critical importance of data security practices in protecting consumer information. It serves as a reminder to organizations across all industries to prioritize data security and maintain compliance with consumer protection laws to prevent similar breaches and their costly consequences.
For additional information and questions regarding this case, contact KJK attorney Michael Hoenig (MDH@kjk.com; 216.736.7247) or anyone in KJK’s Cybersecurity and Data Breach practice group at 216.696.8700.