Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide have agreed to pay a $52m penalty and boost information security to settle charges related to three large data breaches. The incidents, which took place between 2014 and 2020, impacted more than 344 million customers.
The hotel operator reached separate settlements with the US Federal Trade Commission (FTC) and a group of attorneys general from 49 states and the District of Columbia to resolve the probes.
As part of the first settlement, FTC directed Marriott and Starwood to implement a comprehensive information security programme and certify compliance annually for 20 years. Additionally, the security programme must undergo an independent, third-party assessment every two years.
The hotel company also needs to provide its US customers with a way to delete personal information and enable review of unauthorised activity in their respective Marriott Bonvoy loyalty rewards accounts. Marriott must also restore stolen loyalty points, if any, in customer accounts. The FTC additionally instructed Marriot to minimise customer data collection and delete it after fulfilment of the purpose.
Marriot reached the second settlement with a coalition of 50 attorneys general, co-led by Connecticut, to resolve similar data security allegations. The $52m payout will be divided among all 50.
Marriot Data Security Failures
In 2016, Marriott acquired Starwood and took over the responsibility for the data security practices of both brands. The first of the three breaches of its systems cited by the FTC took place before that takeover in June 2014, though Starwood customers were only notified by November 2015. On that occasion, the card details of some 40,000 Starwood customers were exposed. This was followed by a second, slower-burning breach lasting from July 2014 through to September 2018, when hackers purloined 339m guest account records from Starwood, and a third incident lasting from September 2018 to February 2020 where 5.2m guest records were compromised.
In a separate statement, Marriott acknowledged reaching final resolutions on the breaches – though it stopped short of admitting any liability for the cyber-incidents. “Protecting guests’ personal data remains a top priority,” said the operator. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
The fine imposed on Marriott by the FTC was immediately criticised by cybersecurity experts as being inappropriately small given the chaos caused by the three breaches. Industry stalwarts The Register derided the penalty as “piddly,” while Closed Door Security’s CEO William Wright condemned the settlement as “insignificant.”
Wright added that the entire set of incidents revealed the operator’s failure to conduct appropriate due diligence on Starwood’s security practices. “This fine is merely a slap on the wrist to a multi-billion-dollar organisation like Marriott,” he said. “It also follows in the wake of the ICO’s minor fine against the organisation in 2020. But, if the regulators really want to encourage businesses to improve their cyber hygiene, this doesn’t send out a good message. It certainly won’t be enough to deter other businesses from being lax with their defences.”