Attorney General James Announces $52 Million Multistate Settlement with Marriott over Data Breach

 

Marriott Data Breach Affected Millions of New York Customers, Settlement Requires Hotel to Improve Data Security and Pay Penalties

New York Attorney General Letitia James today announced a $52 million multistate settlement with Marriott International, Inc. (Marriott) over a multi-year data breach of one of its guest reservation databases. A multistate investigation found that one of Marriott’s subsidiaries, Starwood Hotels and Resorts Worldwide (Starwood), had intruders in its system for four years without getting detected, leading to a data breach that affected 131.5 million customers nationwide, including millions of New Yorkers. Today’s settlement with 50 attorneys general requires Marriott to significantly overhaul and strengthen its data security to protect customers’ private information and pay $52 million in penalties, of which New York will receive $2.29 million.

“When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen,” said Attorney General James. “Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies. I am proud to stand with my fellow attorneys general to hold Marriott accountable and to protect customers.”

Starwood operates hundreds of hotels nationwide, including hotels in New York. Marriott acquired Starwood in 2016 and took control of its computer network and databases. A multistate investigation discovered that from July 2014 until September 2018 intruders accessed and stayed on Starwood’s databases undetected for years. This intrusion led to the breach of 131.5 million customers’ personal information. The theft impacted people nationwide and exposed personal information, including contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information. 

Today’s settlement requires Marriott to significantly strengthen and continually improve its cybersecurity practices. Some of the specific measures include:

• An independent third-party assessment of Marriott’s information security program every two years for a period of 20.
• Data minimization and disposal requirements, which will lead to less customer data being collected and retained.
• Implementation of a comprehensive Information Security Program, including regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
• Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
• In the future, if Marriott acquires another entity, it must promptly assess the acquired entity’s information security program and develop plans to address deficiencies as part of the integration into Marriott’s network.

As part of the settlement, Marriott will allow customers to delete their data that is stored with the hotel if they wish to do so. Marriott must also offer multi-factor authentication to customers for their loyalty rewards accounts, such as Marriott Bonvoy, and conduct reviews of those accounts to ensure there is no suspicious activity. 

Joining Attorney General James in signing today’s settlement are the attorneys general of Alabama, Alaska, Arizona, Arkansas, Connecticut, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New Jersey, North Carolina, North Dakota, Ohio, Oregon, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, Wyoming, Vermont, and the District of Columbia.