Marriott settles for a piddly $52M after series of breaches affecting millions

Intruders stayed for free on the network between 2014 and 2020

by · The Register

Marriott has agreed to pay a $52 million penalty and develop a comprehensive infosec program following a series of major data breaches between 2014 and 2020 that affected more than 344 million people worldwide.

This comes as a result of two settlements announced today: one involving a coalition of 49 state attorneys general and the District of Columbia, which had launched an investigation after network intruders stole sensitive customer information, including some financial details. The $52 million will be distributed among all 50.

The second settlement [PDF], reached with the US Federal Trade Commission, will require Marriott International and its subsidiary Starwood Hotels and Resorts Worldwide to, among other things, implement better cybersecurity practices and certify compliance to the FTC for 20 years, plus provide customers an easy way to tell the hotel chains to delete their personal information collected.

Per usual, in agreeing to the settlements, "Marriott makes no admission of liability with respect to the underlying allegations," according to a statement on the hotel's website and both agreements.

"As part of the resolutions with the FTC and the State Attorneys General, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress," the statement continued. 

"For example, Marriott is offering US customers a process to request deletion of their personal information, offering an online portal for Marriott Bonvoy members to report potentially suspicious loyalty account activity, and implementing a multi-factor authentication option for Marriott Bonvoy accounts," it added.

Both of the investigations stemmed from a series of network intrusions between 2014 and 2020 across Marriott, which manages more than 7,000 properties globally and Starwood, which Marriott acquired in 2016.

The first breach involved payment card info belonging to more than 40,000 Starwood customers, according to the FTC's proposed complaint [PDF]. 

Four days after Marriott announced it had bought Starwood, the subsidiary notified customers that data thieves had spent 14 months on its network, beginning in June 2014, when they snarfed up customers' names and card numbers before being booted off the systems.

The second breach began around July 2014, and went undetected for more than four years, until September 2018. This one involved the theft of more than 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. 

A third breach, beginning in September 2018, affected Marriott's network and took almost two years to detect — this one wasn't spotted until February 2020. This gave the intruders plenty of time to steal names, physical and email addresses, phone numbers, month and day of birth, and loyalty account information belonging to 1.8 million Americans.

All of these breaches were made possible by Marriott and Starwood's allegedly non-existent security, which, according to the complaint, included poor password management and access control practices, shoddy network segmentation and software patching procedures, multi-factor authentication that wasn't turned on in all instances, and inadequate log and network monitoring.

To resolve these complaints — and, again, without admitting any guilt — Marriott has agreed to pay the US states and Washington, DC $52 million. To put this in perspective: the global hotel giant raked in about $23.71 billion in revenue in 2023. So it's not going to miss the $52 million distributed among the states.

Plus, it also agreed to implement a series of practices designed to improve its data security and minimize the info it collects from customers. This includes only retaining personal information for as long as is necessary to fulfill the purpose for which it was collected.

Both companies will also provide a link where customers can tell the hotels to delete any personal information associated with their email or loyalty rewards program account number.

Additionally, under the agreements, Marriott and Starwood are required to establish an information security program that will undergo an independent, third-party assessment every two years. This, among other things, includes using MFA, network segmentation and data encryption.

And finally, the companies must provide a method for consumers to request a review of unauthorized activity in their Marriott Bonvoy loyalty rewards accounts. Marriott has also pledged to restore any loyalty points stolen by cybercriminals. ®

Marriott Hotels admits to third data breach in 4 yearsDigital thieves made off with 20GB of internal documents and customer dataBrandon Vigliarolo, 06 Jul 2022Marriott: Good news. Hackers only took 383 million booking records ... and 5.3m unencrypted passport numbersPlus an extra 20m passport digits and 8.6m payment card details, though encryptedShaun Nichols in San Francisco, 04 Jan 2019Marriott fined £0.05 for each of the 339 million hotel guests whose data crooks were stealing for four yearsUK watchdog's mooted £99m penalty comes in at just £18.4m