by Lacey Pfalz
Last updated: 9:45 AM ET, Thu October 10, 2024
Marriott International, Inc. agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve data security allegations.
According to the Federal Trade Commission (FTC), Marriott is settling two settlements related to security breaches that impacted over 344 million customers from 2014 to 2020. Marriott is also required to provide all its U.S. customers with a way to request their personal information to be deleted and to restore stolen loyalty points to customers.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
The FTC complaint alleges that Marriott deceived its customers by stating it had “reasonable and appropriate data security.” Yet three separate data breaches from 2014 to 2020 led to hundreds of millions of customers’ personal data, from email addresses to mailing addresses, phone numbers and dates of birth, were compromised.
According to the Associated Press, an FBI investigation of the largest data breach, which occurred in 2018, concluded the mostly likely hackers were those operating with the Chinese Ministry of State Security.
The new settlement requires Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide LLC, to minimize data retention, create and maintain a “comprehensive information security program and certify compliance to the FTC annually for 20 years,” and create a method for customers to request review of unauthorized activity and a way for customers to delete their personal information.
For the latest travel news, updates and deals, subscribe to the daily TravelPulse newsletter.
Topics From This Article to Explore
