Marriott Settles with FTC: Major Overhaul of Data Security After Multiple Breaches Affecting Millions
October 10, 2024Although Marriott has agreed to these terms, the company has made no admission of liability regarding the breaches.
The settlement also includes provisions for Marriott to restore stolen loyalty points and provide customers with options for enhanced security, such as multi-factor authentication.
The settlement, which involves 49 state attorneys general and the District of Columbia, addresses allegations related to data security breaches that compromised the information of over 344 million customers worldwide.
Additionally, a breach in early 2020 affected about 5.2 million guests due to compromised login credentials of employees at a franchised property.
FTC Director Samuel Levine emphasized that Marriott's inadequate security practices contributed to these breaches and highlighted the necessity for improved data security measures.
As part of the settlement, Marriott will enhance its data privacy protocols, including allowing U.S. customers to request the deletion of personal information linked to their accounts.
Marriott is also required to conduct independent assessments of its information security program every two years and certify compliance with the FTC for the next 20 years.
The U.S. Federal Trade Commission (FTC) announced a settlement with Marriott International and its subsidiary Starwood Hotels & Resorts, mandating the implementation of a comprehensive information security program following multiple data breaches that occurred between 2014 and 2020.
These breaches resulted in unauthorized access to sensitive customer information, including passport details, payment card numbers, and email addresses.
A significant breach in November 2018 exposed data from approximately 383 million guests, including unencrypted passport numbers and credit card information.
The FBI investigated the 2018 breach, suspecting that the hackers were associated with the Chinese Ministry of State Security.
This settlement follows a decade marked by multiple data breaches that have raised serious concerns about Marriott's data security practices.
Summary based on 11 sources