Marriott International has reached settlements with the Federal Trade Commission (FTC) and attorneys general from 49 states and the District of Columbia following investigations into three significant data breaches that occurred between 2014 and 2020.

As part of these settlements, Marriott will pay a $52 million penalty to address allegations regarding inadequate data security practices that affected over 344 million customers worldwide.

FTC Director Samuel Levine emphasized that Marriott's poor security practices led to these breaches, highlighting the urgent need for improved data security measures.

The FTC has mandated that Marriott and its subsidiary, Starwood Hotels & Resorts, implement a comprehensive information security program to prevent future breaches.

Marriott is required to enhance its data privacy and information security programs, with many of the FTC's security requirements already in progress or implemented.

The settlement includes a stipulation that Marriott must certify compliance with the FTC's requirements annually for the next 20 years.

The breaches included unauthorized access to sensitive customer information, impacting millions of guests, with the most notable breach in November 2018 exposing data from approximately 383 million guests.

Exposed customer data from these breaches included names, addresses, payment card information, and passport details, raising significant privacy concerns.

As part of the settlement, Marriott will allow U.S. customers to request deletion of personal data linked to their email or loyalty accounts and will review and restore stolen loyalty points upon request.

To enhance security, Marriott will introduce multi-factor authentication for Marriott Bonvoy accounts, providing customers with additional protection.

These settlements follow a series of data breaches over the last decade that have raised alarms about the security of customer data at major hotel chains.

While Marriott has agreed to these terms, the company maintains that it does not admit liability in the settlements, stating that it has already implemented various data privacy and security enhancements.