Marriott and its subsidiary Starwood Hotels have reached a settlement with the Federal Trade Commission (FTC) to pay $52 million in fines and implement an enhanced information security program for the 344 million customers affected by three data breaches that occurred between 2014 and 2020.
As part of the agreement, Marriott will offer its US customers the option to request the deletion of their personal information linked to their loyalty rewards account number or email address. The company must also adopt a policy to retain customer data only for as long as necessary and review loyalty rewards accounts upon request. Additionally, Marriott will reimburse customers for any stolen loyalty points.
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, emphasized the importance of this action in ensuring that Marriott improves its data security practices globally.
The series of breaches began in June 2014 when the payment card details of over 40,000 Starwood customers were compromised. This breach went undetected for 14 months until November 2015. Subsequently, in July 2014, Starwood experienced a second breach that remained undetected for several years until 2018 when 339 million guest accounts were accessed, exposing sensitive information including 5 million unencrypted passport numbers.
In 2018, Marriott fell victim to another breach that was not discovered until February 2020. During this incident, 5.2 million guest records were compromised, with close to 2 million belonging to Americans.
Moving forward, Marriott and Starwood are mandated to certify their compliance with the FTC annually for the next 20 years and undergo independent third-party assessments biennially to ensure adherence to the new security measures.
The significant financial penalty and commitment to enhancing data security underscore the severity of the breaches and serve as a warning to other companies entrusted with sensitive customer information. It is imperative for organizations to prioritize cybersecurity measures and continuously assess and strengthen their systems to prevent such breaches in the future.
Customers who were impacted by these breaches can now have some peace of mind knowing that the companies responsible have taken concrete steps to address the vulnerabilities and safeguard their personal information. The proactive steps taken by Marriott and Starwood, in collaboration with regulatory authorities, demonstrate a commitment to ensuring the protection of customer data and upholding the trust placed in them by millions of individuals worldwide.