Marriott International has agreed to a substantial $52 million settlement with 50 US states to resolve allegations stemming from a massive data breach affecting millions of customers. This settlement follows a multi-year investigation by the Federal Trade Commission (FTC) and state attorneys general, uncovering significant security flaws and violations of consumer protection laws. The breach, initially discovered in September 2018, exposed the personal information of an estimated 339 million guest records globally, including 131.5 million American customers. This article delves into the technical details of the breach, the legal repercussions, and Marriott’s commitment to enhanced cybersecurity practices.
The Timeline of a Marriott Breach
The breach originated within Starwood’s guest reservation database, a system Marriott acquired in 2016. Attackers remained undetected from July 2014 to September 2018, exploiting vulnerabilities in the system to access sensitive guest data. This data included personal details, a limited number of unencrypted passport numbers, and unexpired payment card information. The sheer scale of the breach is staggering; the compromised data encompassed more than 339 million guest records worldwide. This figure includes the 131.5 million American customers directly impacted by the $52m settlement with the US states.
The incident wasn’t a single event. The FTC’s investigation revealed three distinct data breaches between 2014 and 2020:
- June 2014 – October 2015: A breach targeting payment card information of over 40,000 Starwood customers went undetected for 14 months.
- July 2014 – September 2018: The most significant breach, compromising the Starwood guest reservation database, exposing 339 million records globally. This breach is the primary focus of the $52m settlement with the US states and also led to a separate £18.4m ($24m) fine from the UK’s Information Commissioner’s Office (ICO) in October 2020, affecting around seven million UK residents.
- September 2018 – February 2020: Malicious actors accessed Marriott’s own network, compromising 5.2 million guest records worldwide, including 1.8 million US citizens.
Technical Failures and Legal Allegations:
The FTC’s investigation revealed significant shortcomings in Marriott and Starwood’s data security practices. The companies failed to implement adequate:
- Password controls: Weak password policies allowed unauthorized access.
- Access controls: Insufficient controls allowed unauthorized users to access sensitive data.
- Firewall controls: Inadequate firewall configurations allowed unauthorized network access.
- Network segmentation: Lack of network segmentation prevented the containment of breaches.
- Software patching: Outdated software and systems created vulnerabilities exploited by attackers.
- Network logging and monitoring: Insufficient logging and monitoring hindered the detection of malicious activity.
- Multi-factor authentication: The absence of robust multi-factor authentication made it easier for attackers to gain access.
These failures led to the allegations that Marriott violated state consumer protection laws, personal information protection laws, and breach notification laws. The FTC also accused Marriott of deceiving consumers by claiming to have reasonable and appropriate data security measures in place. Director of the FTC’s Bureau of Consumer Protection, Samuel Levine, stated, “Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.”
The Settlement and Marriott’s Response:
The $52 million settlement with the 50 US states resolves these allegations. Importantly, Marriott has emphasized that the settlement does not constitute an admission of liability. The hotel chain maintains its commitment to enhancing its data security practices. As part of the settlement, Marriott has agreed to implement a comprehensive information security program incorporating zero-trust principles and regular security reporting to the board and C-suite. A separate agreement with the FTC mandates the implementation of a “robust” information security program to prevent future breaches.
Marriott’s statement regarding the settlement highlights their focus on data protection: “Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
Looking Ahead:
The Marriott data breach serves as a stark reminder of the critical importance of robust cybersecurity practices for organizations handling sensitive customer data. The $52 million settlement underscores the significant financial and reputational consequences of failing to implement adequate security measures. The case highlights the need for proactive security measures, regular security audits, and a culture of security awareness within organizations. The FTC’s action, in coordination with state partners, aims to ensure that Marriott significantly improves its data security practices globally, setting a precedent for other companies to prioritize robust cybersecurity. The consent agreement will be subject to a 30-day public comment period before becoming final.