Marriott agrees to pay $52 million settlement after multiple data breaches

Marriott agreed to wage $52 cardinal colony to 49 states and Washington, DC implicit a series of data breaches that occurred betwixt 2014 and 2020, affecting much than 334 cardinal customers. As portion of a abstracted agreement, the Federal Trade Commission is besides requiring Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, to instrumentality an accusation information programme to settee charges implicit the information breaches. 

“Marriott’s mediocre information practices led to aggregate breaches affecting hundreds of millions of customers,” Samuel Levine, the manager of the FTC’s Bureau of Consumer Protection, said successful a statement. “The FTC’s enactment today, successful coordination with our authorities partners, volition guarantee that Marriott improves its information information practices successful hotels astir the globe.”

The FTC says Marriott and Starwood, which it acquired successful 2016, deceived customers by claiming to person tenable and due information security, but alternatively near them susceptible to breaches. The FTC’s ailment alleges that Marriott failed to instrumentality due password controls, firewall controls, oregon web segmentation. The company failed to spot outdated bundle and systems, and didn’t deploy multi-factor authentication, according to the FTC.

In 1 incident, discovered successful 2020, hackers stole astir 20GB of worker and lawsuit data from the BWI Airport Marriott successful Baltimore, Maryland. The information included confidential concern documents and lawsuit outgo information, including recognition paper authorization forms.

As portion of the settlement, Marriott has agreed to springiness each US customers a mode to petition that immoderate idiosyncratic accusation associated with their email addresses oregon loyalty rewards relationship fig beryllium deleted. According to the FTC, customers’ passport information, debit and recognition paper numbers, dates of birth, email addresses, loyalty numbers, and different accusation were exposed successful the breaches. Marriott is besides required to reappraisal rewards accounts and reconstruct customers’ stolen rewards points upon request.