FTC Settlement: Marriott’s $52 Million Lesson in Data Protection

Highlights

*As part of a recent settlement, Marriott will pay $52 million in penalties for data breaches that exposed information of 344 million guests.

* Marriott must also create a 20-year InfoSec program with encryption, training, and third-party audits.

Introduction

Ten years later, Marriott International is still grappling with the aftermath of three major data breaches that exposed the personal information of over 344 million guests worldwide.

In a recent settlement with the U.S. Federal Trade Commission (FTC) and 50 state attorneys general, the global hotel chain agreed to bolster its information security protocols and give U.S. guests the right to request their data be deleted. Additionally, Marriott must pay $52 million in penalties to 49 states and the District of Columbia to address violations stemming from the 2014 – 2020 data breaches.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said in a published statement on 9 October. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Alleged Security Failures

The FTC’s complaint alleges Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide LLC, misled consumers by claiming to have reasonable and appropriate data security measures in place. These alleged security failures are what purportedly led to the three major data breaches between 2014 and 2020.

The first breach began in 2014 within Starwood’s systems, exposing the payment card details of 40,000 customers. The breach went undetected for 14 months. It was announced four days after Marriott announced its intent to acquire Starwood.

In 2018, Marriott uncovered another breach, also linked to Starwood’s systems. Hackers had used a remote access Trojan (RAT) to infiltrate the network and re-encrypted stolen data to remain undetected for four years. This massive breach exposed eight million credit card records and 25 million unencrypted passport numbers, ultimately costing Marriott an estimated $2 billion in fines and legal expenses.

In 2020, Marriott discovered yet another breach, this time originating from unauthorized access to its network dating back to 2018. This incident exposed the personal data of over 5.2 million guests.

Though not within the scope of the settlement, Marriot experienced a fourth breach in 2022. Criminals used social engineering techniques on hotel staff to gain access to 20 gigabytes of customer data, including guest credit card numbers.

The Settlement

As part of their settlement, Marriott is required to take several key actions to improve their data security and protect consumer information.

These include:

*Increased Transparency: The hotel chain is prohibited from misrepresenting how they collect, manage, secure, or delete guests’ personal data, and must be transparent in how they protect data.

*Financial Penalties: Marriott must pay $52 million USD to 49 states and the District of Columbia to resolve data security violations.

*Information Security Program: Marriott and Starwood must implement a robust, 20-year information security program that includes encryption, employee training, and vulnerability management. As part of this program, the chain must certify its compliance with the FTC annually and conduct independent third-party assessments every two years.

*Data Minimization: The company must limit the collection and retention of personal information to what is necessary, clearly disclosing to guests why the data is being collected and how long it will be retained.

*Loyalty Account Monitoring: They must allow guests to request reviews of unauthorized activity in their loyalty accounts (e.g., Marriott Bonvoy), restoring stolen points if necessary.

*Data Deletion Requests: A system must be established where customers can request the deletion of their personal data, linked to their email or loyalty account numbers.

Impact on Hoteliers

This settlement sets a new standard for hospitality that reflects an increasing global emphasis on stringent data protection standards. The EU’s General Data Protection Regulation (GDPR) has been at the forefront of this movement, imposing heavy fines on companies that fail to safeguard consumer data. Notably, Marriott International faced a £18.4 million fine in 2020 for failing to comply with GDPR requirements following this series of breaches.

In the U.S., financial penalties for data breaches have traditionally come through civil litigation, class action lawsuits, and regulatory frameworks like the Payment Card Industry Data Security Standard (PCI DSS). However, recent years have seen a surge in state-level privacy laws, with over 20 states already enacting data protection legislation and more in the pipeline.

This settlement between the FTC and state authorities sets a crucial precedent for U.S. data protection standards, many of which mirror GDPR’s principles such as data minimization, employee training, and honoring consumer requests regarding personal information. This may signal a broader shift toward uniform data security requirements in the U.S. to reflect the global trend.

Additionally, this ruling showcases another growing challenge facing hoteliers—vulnerabilities with loyalty and rewards programs.

Loyalty fraud is a prevalent issue for hospitality in particular, with estimated annual losses reaching $1 billion. Due to lax monitoring and security measures, loyalty and reward accounts have become an attractive target for cybercriminals who gain access and redeem the accumulated points for cash equivalents, products, or services.

The settlement’s requirement for active monitoring of Marriott Bonvoy rewards accounts highlights the increasing focus on combating loyalty fraud.

Conclusion

The Marriott settlement highlights the increasing global focus on data protection, sending a clear message to hoteliers: failure to adhere to these standards can result in severe financial and legal penalties across multiple jurisdictions. With evolving security frameworks like GDPR and state privacy laws, hospitality must prioritize robust data security measures or face escalating consequences.

Feeling overwhelmed? Don’t be. As a leader in hospitality data protection, VENZA provides vendor security assessments and privacy management solutions to help hoteliers navigate the evolving global regulatory landscape.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Human Firewall

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.