Incident & Breach Response
,
Legislation & Litigation
,
Security Operations
Hotel Chain Also Settles with Federal Trade Commission
The world’s largest hotel chain agreed Wednesday to pay $52 million and agree to two decades of third-party monitoring of its cybersecurity program to settle a rash of data breaches affecting millions of guests.
See Also: Cyber Insurance Assessment Readiness Checklist
The multi-million payout is part of a settlement reached with 50 U.S. attorneys general – 49 states plus the District of Columbia.
A consent order with the Federal Trade Commission requires two decades worth of cybersecurity program assessments made by an outside assessor. The settlements all require final approval, whether from state judges or another round of voting from FTC commissioners, in steps that typically amount to formalities.
“Companies have an obligation to take reasonable measures to protect consumer data security. Marriott clearly failed to do that,” said Connecticut Attorney General William Tong, who co-led the coalition of state attorneys general.
Maryland-based Marriott has been mired in data breach litigation almost continuously since in 2018, uncovering hackers in the reservation system it acquired when after buying the Starwood luxury franchise in September 2016. Further investigation showed the hackers – reportedly part of a Chinese cyberespionage operation – first gained access to the system in July 2014. A final tally of the breach calculated that 133.7 million hotel guests were caught up in the breach, including the unencrypted passport numbers of 5.25 million individuals. The FTC in an administrative complaint said hackers installed key loggers, memory-scraping malware and remote access Trojans in “over 480 systems across 58 locations within the Starwood environment,” including in the corporate network, data center, customer contact center and hotel locations.
Marriott divulged another breach in March 2020, disclosing that hackers infiltrated its network in an incident affecting 5.2 million guests. Data affected included identifying information such as names, emails, phone numbers and birthdays.
The FTC consent agreement also encompasses a breach detected by Starwood in November 2015. Hackers over 14 months compromised unprotected administrative accounts and installed malware in more than 100 hotels, extracting full payment card data.
In a statement, Marriott said it is making no admission of liability in the settlements. “Protecting guests’ personal data remains a top priority for Marriott,” the company asserted.
As part of its agreement with state attorneys general, Marriott must embrace zero trust principles “where reasonably feasible.” It must also contractually require enhanced cybersecurity controls for “critical IT vendors” including cloud computing providers.
The FTC settlement requires the company to limit its data collection by retaining data only as long as necessary to fulfill its purpose. The hotel chain also must offer consumers an easy way to delete their personal information from corporate databases.
The two agreements require Marriott to establish a portal for consumers to request a review of their loyalty rewards account for suspicious activity occurring over the previous 12 months.
Putative class action litigation stemming from the 2018 breach continues in federal court. A U.S. District for the District of Maryland judge granted the lawsuit class action status in 2022, but an appeals court in August 2023 vacated that decision and remanded the case back to district to further consider the effects of a class action waiver signed by hotel guests.
Marriott paid a $24 million fine in 2020 to British data regulations for the 2018 breach (see: Marriott Hit With $24 Million GDPR Privacy Fine Over Breach).