During the period of July 2014 until September 2018, Marriott International, Inc.’s guest reservation database was infiltrated by unauthorized users, and such breach went undetected the entire time. The 131.5 million customer data breach impacted records including: customer contact information, gender, dates of birth, unencrypted customer passport numbers, and unexpired payment card information. This data breach serves as a stark reminder of the potential risks and costly repercussions for companies that fail to implement reasonable customer data security measures. The Marriott customers whose data was impacted resided in all 50 United States, and as such, a coalition of 50 attorneys general launched a multi-state investigation finding that Marriott violated state consumer protection laws, personal information protection laws, and where applicable, breach notification laws. On October 9, 2024, the coalition of attorneys general and Marriott agreed to a settlement whereby Marriott will pay $52 million to the states, strengthen its data security practices, and provide certain consumer protections. The coalition of attorneys general found that Marriott failed to take reasonable measures to protect its consumer data, an obligation with which companies with consumer data must comply. The coalition imposed the following specific measures on Marriott to shore up its data security, including implementation of:
  • an Information Security Program (ISP), including incorporation of zero-trust principles, regular reporting, and employee training
  • encryption practices, critical patch management policy and procedures, unauthorized user detection and user access controls, logging and monitoring users and files within the network
  • vendor and franchises oversight, risk assessments for critical information technology vendors
  • M&A controls to assess any prospective acquired entity’s information security program and identify gaps or deficiencies when integrating with Marriott’s network
  • Assessments by an independent third party of Marriott’s ISP every two years for 20 years

As part of the settlement agreement, Marriott will additionally:

  • give consumers protections including a data deletion option (even if their state law does not provide for this)
  • offer MFA (multi-factor authentication) for loyalty rewards accounts, and
  • conduct reviews of those accounts for any suspicious activity.

Lessons for Companies Handling Consumer Data

The Marriott breach underscores the importance of a proactive approach to data security. Failure to comply with data protection laws can result in significant financial penalties, regulatory scrutiny, and loss of consumer trust. To avoid these pitfalls, companies must:
  • Implement comprehensive information security programs and regularly review and update them.
  • Ensure sensitive data is encrypted and access is tightly controlled.
  • Monitor networks continuously for unauthorized access and respond swiftly to potential vulnerabilities.
  • Assess the security practices of vendors and partners, especially during mergers and acquisitions.
  • Engage independent third-party experts to assess the company’s security posture regularly.
Source: https://portal.ct.gov/ag/press-releases/2024-press-releases/multistate-settlement-with-marriott-for-data-breach-of-starwood-guest-reservation-database