FTC Requires Marriott to Implement Security Program After Data Breaches

The U.S. Federal Trade Commission announced Wednesday that it will require Marriott International and its subsidiary, Starwood Hotels & Resorts Worldwide, to implement an information security program to settle charges stemming from multiple data breaches between 2014 and 2020.

The three major data breaches, which occurred during that period, affected more than 344 million customers worldwide, according to the FTC.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

As part of the settlement, Marriott and Starwood agreed to allow U.S. customers to request the deletion of personal information linked to their email address or loyalty rewards account number. Marriott will also review loyalty rewards accounts upon request and restore stolen loyalty points, the FTC said.

In a separate settlement, also announced Wednesday, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia—of which New York will receive $2.29 million—to resolve similar data security allegations, the FTC said.

“When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen,” said Attorney General James. “Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies. I am proud to stand with my fellow attorneys general to hold Marriott accountable and to protect customers.”

Marriott representatives emphasized that the company made no admission of liability regarding the underlying allegations, as indicated in the agreements with the FTC and state attorneys general.

“Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats,” Marriott said in a statement following the settlement.

In 2020, Marriott also faced a class action lawsuit in London filed by millions of former guests seeking compensation after their personal records were hacked in one of the largest data breaches in history.