United States: Marriott pays multimillion dollar fine for allowing data leaks
The Marriott International hotel chain has reached a settlement in the US with the attorneys general of 49 states and the District of Columbia and will pay a 52 million dollar fine. The attorneys general investigated several data leaks at Marriott and its Starwood subsidiary and found that the data of more than 344 million people had been stolen. The company has also reached an agreement with the US Federal Trade Commission (FTC) to institute further measures to protect personal data.
Both the FTC and the group of attorneys general conducted investigations into the data leaks at the hotel chain: between 2014 and 2020 there were three such incidents, leading to the theft of the data of hundreds of millions of guests worldwide, the FTC reported on Wednesday. The Marriott International hotel network includes more than 7,000 properties across the US and more than 130 countries.
System intrusions not detected
The first breach occurred in June 2014, when payment information was stolen from more than 40,000 Starwood customers. According to the FTC, the data breach went undetected for 14 months. In November 2015 Starwood finally informed its customers – four days after Marriott had announced its plan to acquire the company. The acquisition was finalized in 2016. Since then, Marriott has been responsible for data security at both companies.
In July 2014 unknown actors again infiltrated Starwood’s systems. This data theft went undetected until September 2018, the FTC reports – by which time Marriott had acquired the company. During this four-year period, malicious actors had access to over 480 computer systems located not only in data centers but also at individual hotels. The hackers installed malware, among other actions. The data that was stolen included 5.25 million unencrypted passport numbers.
Other guest information stolen at the time included names, dates of birth, gender, addresses, email addresses, phone numbers, and payment information. Information relating to guests’ hotel stays was stolen as well.
A third cyberattack on Marriott’s computer systems went undetected between September 2018 and February 2020, according to the FTC. During that time period hackers had access to the data of more than 5.2 million guests of the hotel chain. This data included names, addresses, email addresses, phone numbers, and “hotel stay and room preferences.”
At the time, Marriott said that payment information and ID numbers were not stolen.
Connecticut Attorney General William Tong said in a statement: “Companies have an obligation to take reasonable measures to protect consumer data security. Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests.”
Marriott has now agreed to the multi-state settlement and will pay a fine of 52 million dollars. The fine will be divided between the 49 participating states and the District of Columbia. The attorneys general had accused the hotel chain of violating consumer protection and data protection laws.
Company must improve security practices
As part of its settlement with the FTC, the company commits to implement a “comprehensive information security program” to improve its data security. The FTC charges Marriott and Starwood with failing to take sufficient steps to protect customer data. In its complaint, the agency alleges that Marriott and Starwood’s systems lacked “appropriate password controls” and multi-factor authentication. The company also “failed to patch outdated software and systems in a timely manner.”
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement: “Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.”
Over the next 20 years Marriott must provide annual assurance to the FTC that it is adhering to its new security policies. The company must also ensure that it retains personal data for only as long as is necessary. Customers must be provided with a link allowing them to request deletion of data associated with their email address or loyalty rewards account.
After the data breach that came to light in 2018, Britain’s data protection authority, the Information Commissioner’s Office (ICO), took action and imposed a fine of 99.2 million pounds. The hotel chain contested the fine, and in 2020 it was ultimately reduced to 18.4 million pounds. (js)