Marriott’s $52M data breach settlement includes cut for NJ

Kimberly Redmond//October 11, 2024//

Marriott International Inc. is based in Bethesda, Md., and encompasses a portfolio of approximately 9,000 properties across more than 30 brands in 141 countries and territories.

Marriott International Inc. is based in Bethesda, Md., and encompasses a portfolio of approximately 9,000 properties across more than 30 brands in 141 countries and territories. - PROVIDED BY MARRIOTT

Marriott International Inc. is based in Bethesda, Md., and encompasses a portfolio of approximately 9,000 properties across more than 30 brands in 141 countries and territories.

Marriott International Inc. is based in Bethesda, Md., and encompasses a portfolio of approximately 9,000 properties across more than 30 brands in 141 countries and territories. - PROVIDED BY MARRIOTT

Marriott’s $52M data breach settlement includes cut for NJ

Kimberly Redmond//October 11, 2024//

Listen to this article

Marriott International Inc. agreed to pay $52 million to resolve state and federal claims related to massive data breaches between 2014 and 2020 that impacted more than 344 million customers worldwide.

Under the settlement announced Oct. 9, the Maryland-based hotel operator also agreed to strengthen its cybersecurity practices going forward as well as improve protections for consumers.

As part of Marriott’s resolution with attorney generals from 49 states and the District of Columbia, New Jersey will receive $13 million, according to officials.

The states alleged that Marriott violated laws and consumer protection laws. According to officials, the company misrepresented the ways in which it protected consumers’ personal information and failed to use adequate cybersecurity safeguards to protect that data.

The incidents

Marriott acquired Starwood Hotel and Resorts Worldwide for $13.6 billion 2016, taking control of the brand’s guest reservation database. However, unbeknownst to Marriott, an unauthorized third-party installed malware in the system two years prior, which allowed hackers to gain access to customer data from July 2014 to September 2018.

According to officials, impacted information included:

  • Contact details
  • Gender
  • Birth dates
  • Reservation details
  • Hotel stay preferences
  • Unencrypted passport umbers
  • Unexpired payment card information

 

Marriot became aware of the breach in September 2018 and disclosed the matter two months later. After, the company conducted a forensic examination that revealed security issues. According to officials, the failures included:

  • Inadequate firewall controls
  • Unencrypted payment card information stored outside of the secure cardholder data environment
  • Lack of multifactor authentication
  • Poor monitoring and logging practices

 

In a second incident, intruders were allegedly able to compromise the credentials of employees at a Marriott-franchised property. That allowed them to gain access to the company’s own network for a period of several months, officials said.

These attackers began accessing and exporting consumers’ personal information without detection from September 2018 to December 2018. The breach resumed in January 2020 and continued until it was discovered the next month, officials said.

Matthew Platkin
Platkin

“This settlement is another example of how New Jersey and other states are working together to hold corporations accountable for their failures to safeguard customer data,” New Jersey Attorney General Matthew Platkin said in a statement. “Together, we are requiring companies to treat consumer data as carefully as they do their other assets.”

Moving forward

The Federal Trade Commission, which has coordinated closely with the states throughout the investigation, reached a parallel settlement with Marriott.

According to an Oct. 9 FTC announcement, Marriott agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number.

Marriott is also required to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

See also:

Earlier this month, American Water was forced to temporarily shut down its online customer service portal and pause billing services after being hit with a cyberattack. Click here for more.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection commented. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Marriott made no admission of liability regarding the allegations. The company issued a statement saying it will “continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress.”

“Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats,” the company said.