Marriott International has been ordered to pay $52 million and enhance its cybersecurity measures following a series of significant data breaches that compromised the personal information of millions of customers. The settlements, announced by the Federal Trade Commission (FTC) and a coalition of state attorneys general, highlight the company's failure to adequately protect consumer data over the past decade.
Key Takeaways
Marriott will pay $52 million to 49 states and the District of Columbia.
The company must implement a robust information security program.
Affected breaches involved over 344 million customers worldwide.
Marriott is required to provide U.S. customers with a way to request deletion of their personal information.
Background Of The Breaches
Between 2014 and 2020, Marriott experienced three major cybersecurity incidents, the most notable stemming from its acquisition of Starwood Hotels in 2016. The breaches exposed sensitive data, including contact information, birthdates, and credit card details of approximately 500 million customers globally.
The largest breach, which occurred in 2018, revealed that unauthorized access to the Starwood guest reservation database had been ongoing since 2014. This breach not only compromised personal data but also included the exposure of around 5 million unencrypted passport numbers.
Settlement Details
The recent settlements require Marriott to:
Pay $52 million to be distributed among the states involved.
Strengthen its data security practices significantly.
Provide U.S. customers with the option to request deletion of their personal information linked to loyalty accounts.
Connecticut Attorney General William Tong emphasized that companies must take reasonable measures to protect consumer data, stating, "Marriott clearly failed to do that."
Implications For Marriott
While the $52 million penalty appears substantial, it represents only a small fraction (1.6%) of Marriott's $3.08 billion profits in fiscal year 2023. This raises questions about the effectiveness of financial penalties in deterring corporate negligence regarding data security.
Since the announcement of the Starwood breach, Marriott has faced significant recovery costs, legal challenges, and reputational damage. However, critics argue that the penalties imposed have not been severe enough to prompt meaningful changes in corporate behavior.
Future Security Measures
As part of the settlements, Marriott has committed to:
Implementing a comprehensive information security program.
Undergoing independent assessments of its security measures every two years for the next 20 years.
Enhancing password controls, access controls, and network monitoring.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, "Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers."
The settlements mark a significant step in holding Marriott accountable for its cybersecurity failures. As the hospitality giant works to improve its data security practices, the incident serves as a cautionary tale for other companies regarding the importance of safeguarding consumer information in an increasingly digital world.
Cybersecurity threats are growing more sophisticated every day, making it essential for businesses to stay ahead of the curve. BetterWorld Technology is here to help you navigate this complex landscape and safeguard your valuable data. Don't wait for a breach to occur—take control of your cybersecurity today. Book a consultation with BetterWorld Technology now, and let our experts tailor a solution that fits your unique needs.
Sources
Marriott Gets $52 Million Slap On Wrist For Breaches Due To ‘Lax Security’, Forbes.
FTC settles yearslong investigation into Marriott’s ‘security failures’, Cybersecurity Dive.
Marriott will pay $52M, improve cybersecurity to settle multiple data breaches | Hotel Investment Today, Hotel Investment Today.