Marriott & Starwood Face $52M Settlement After Security Breaches

Marriott and its subsidiary Starwood Hotels have agreed to pay $52 million in fines and create a revamped information security program, in an Federal Trade Commission (FTC)-led settlement with 344 million customers who were impacted by three data breaches occurring between 2014 and 2020.

The hotel giant also agreed to provide its US customers with a way to request deletion of their personal information associated with their loyalty rewards account number or email address. In addition, they must implement a policy to retain the personal information of its customer only for as long as necessary to fulfill its purpose. Marriott also will be required to review loyalty rewards accounts upon request, and also reimburse stolen loyalty points.

 "The FTC's action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe," said Samuel Levine, director of the FTC's Bureau of Consumer Protection.

The first breach began in June 2014 and involved the payment card information of more than 40,000 Starwood customers; it went undetected for 14 months, until November 2015.

Starwood faced its second breach in July 2014. That intrusion went undetected for years — until 2018, when 339 million Starwood guest accounts were revealed to have been accessed by malicious actors, exposing various data, including 5 million unencrypted passport numbers. 

And finally, Marriott was breached again in 2018, a breach that went undetected until February 2020. In that incident, 5.2 million guest records were accessed, nearly 2 million of them belonging to Americans. 

Going forward, Marriott and Starwood will have to certify compliance with the FTC annually for 20 years, and undergo independent third-party assessments every two years.