Summarize

Simplifying... Inshort

Marriott, the hotel giant, has been fined $52 million for multiple data breaches that exposed sensitive customer information.
The Federal Trade Commission (FTC) criticized Marriott's inadequate security measures and accused them of misleading customers about their data protection.
As part of the settlement, Marriott must offer US customers the option to delete personal details linked to their accounts and restore stolen rewards points upon request.

Was a long read? Making it simpler...

Next Article

The data breaches affected over 334 million customers

Hotel giant Marriott to pay $52 million over data breaches

By Akash Pandey

Oct 11, 2024

12:04 pm

What's the story

Global hotel chain Marriott International has reached a $52 million settlement with 49 US states and Washington DC over a string of data breaches that affected more than 334 million customers between 2014 and 2020. The Federal Trade Commission (FTC) is also requiring Marriott and its subsidiary Starwood Hotels & Resorts Worldwide to implement an information security program as part of a separate agreement over these data breaches.

Security shortcomings

FTC criticizes Marriott's inadequate security measures

Samuel Levine, the director of the FTC's Bureau of Consumer Protection, slammed Marriott's lax security measures which resulted in multiple breaches impacting hundreds of millions of customers. The FTC alleged that Marriott and Starwood (which was acquired in 2016) misled customers by claiming they had adequate data security when in fact they left them exposed to breaches. The commission also alleged that Marriott failed to implement proper password controls or network segmentation and neglected to update outdated software and systems.

Breach details

2020 data breach exposed sensitive customer information

In a major breach unearthed in 2020, hackers stole some 20GB of employee and customer data from the BWI Airport Marriott in Baltimore, Maryland. The stolen data contained confidential business documents and customer payment information like credit card authorization forms. As part of the settlement, Marriott is now required to offer all US customers an ability to request deletion of any personal details associated with their email addresses or loyalty rewards account numbers.

Restoration commitment

Marriott to restore stolen rewards points upon request

The FTC disclosed that customers' passport details, debit/credit card numbers, birth dates, email addresses, loyalty numbers, and other details were exposed in the breaches. As part of its commitment to rectify the situation, Marriott is also required to review rewards accounts and reinstate customers' stolen rewards points upon request. This move is seen as an effort by the company to regain customer trust following the data breaches.