Marriott Hotels

Marriott fined $52 million for breach of customer privacy

BUSINESS HOTELS

Marriott International is being ordered to pay a heavy fine of $52 million for breaching the security systems and data of more than 300 million customers worldwide and to make changes to strengthen its data security practices.

The company was accused by the US Federal Trade Commission (FTC) and a coalition of states of failing to adequately protect the personal data of its customers over the past decade.

Specifically, a panel of attorneys general from 49 states and the District of Columbia is ordering Marriott to pay the states $52 million, and there is a separate FTC requirement that Marriott and its Starwood subsidiary implement “a robust information security program.” In addition, Marriott has agreed to provide all of its US customers with a way to request that any personal information related to their email address or loyalty account number be deleted.

As a result of the data breaches, unscrupulous people obtained the passport information, payment card numbers, loyalty accounts, birth dates, email addresses and/or personal information of hundreds of millions of consumers, according to the FTC’s complaint.

The FTC alleged that poor data security practices by Marriott and its subsidiary Starwood Hotels & Resorts Worldwide led to the breaches.

Specifically, the agency alleged that the hotel company did not secure its computer system with proper password controls, network monitoring or other practices to safeguard data.

In a statement on its website, Bethesda, Maryland-based Marriott noted that it made no admission of liability under its agreements with the FTC and the states. It also said it has already put in place improvements to protect data privacy and information security.

Marriott announced plans to acquire Starwood in 2015, but Starwood subsequently informed customers that it had suffered a breach of its data systems over a 14-month period involving data with card information of 40,000 customers.

The violations

Between 2014 and 2020, Marriott suffered three high-profile cybersecurity breaches.

The first breach occurred in June 2014 and involved payment card information of more than 40,000 Starwood customers. The breach remained undetected for 14 months until Starwood notified its customers in November 2015, just four days after Marriott announced its acquisition of Starwood.

The second breach began around July 2014 and remained undetected until September 2018. During that time, malicious actors gained access to 339 million Starwood customer account records worldwide, including 5.25 million passport numbers.

The third breach, which went undetected from September 2018 to February 2020, affected Marriott’s own network. The malicious actors had access to 5.2 million guest records worldwide, including data from 1.8 million Americans. The compromised records contained important personal information such as names, mailing addresses, email addresses, phone numbers, birth dates and loyalty account information.

Tagged
Leave A Comment

Leave a Reply

Your email address will not be published. Required fields are marked *