Marriott International has agreed to pay $52 million and make changes to strengthen its data security to resolve state and federal claims related to a major data breach that affected more than 300 million of its customers worldwide.
The Federal Trade Commission and a group of attorneys general from 49 states and the District of Columbia announced separate settlement terms with Marriott on Wednesday. The FTC and states conducted joint investigations into three data breaches, which occurred between 2014 and 2020.
As a result of the data breach, “malicious actors” obtained passport information, payment card numbers, loyalty numbers, birthdays, email addresses and/or personal information on hundreds of millions of consumers, according to the proposed FTC complaint.
The FTC said Marriott and its subsidiary Starwood Hotels & Resorts Worldwide’s poor data protection practices led to the breach.
Specifically, the agency alleged that the hotel operator failed to protect its computer system with appropriate password controls, network monitoring or other data protection procedures.
As part of its proposed settlement with the FTC, Marriott agreed to “implement a robust information security program” and provide all of its US customers with a way to request that any personal information associated with their email address or loyalty rewards account number be removed.
Marriott also settled similar claims brought by a group of senior lawyers. In addition to agreeing to strengthen its data security procedures, the hotel operator will also pay a $52 million fine to be split by the states.
In a statement on its website Wednesday, Bethesda, Maryland-based Marriott noted that it has pleaded not guilty as part of its agreements with the FTC and states. It also said it has already installed data privacy and information security enhancements.
In early 2020, Marriott realized that an unexpected amount of guest information was being accessed using the login credentials of two employees at a published location. At that time, the company estimated that the personal data of about 5.2. millions of tourists worldwide may have been affected.
In November 2018, Marriott announced a major data breach in which hackers accessed information on approximately 383 million guests. In that case, Marriott said at least 5.25 million guests’ blank passport numbers were accessed, along with 8.6 million guests’ credit card information. The affected hotel brands were operated by Starwood before they were acquired by Marriott in 2016.
The FBI led the investigation into the data theft, and investigators suspect the hackers were working for China’s State Security Ministry, which is the rough equivalent of the CIA.
-Alex Veiga, AP Business Writer
Source link
