Marriott agrees to pay $52 million settlement, improve data security practices 

Marriott International and its subsidiary Starwood Hotels and Resorts have agreed to a settlement with the federal and state authorities over three separate data breaches between 2014 and 2020.

In a 16-page proposed consent order with the Federal Trade Commission, the hotel chains agreed to a series of compulsory actions to improve the way they handle, store and protect personal customer data.

In 2015, just days after announcing it was being acquired by Marriott, Starwood disclosed a 14-month-long data breach. According to the FTC’s complaint, a malicious hacker took advantage of “inadequate firewalls and network segmentation, inadequate access controls, the use of outdated and unsupported software, and the lack of multifactor authentication” to install malware on the networks of more than 100 properties and steal consumer payment card information.

Despite knowing that Starwood’s networks had been compromised and conducting a 10-month assessment of their information security program before closing the acquisition, Marriott missed another, much larger ongoing breach.

In June 2014, another malicious actor had compromised one of Starwood’s public-facing web servers, using that access to once again steal administrative credentials and lurk in Starwood corporate networks for more than four years. The threat actors installed keyloggers, remote access trojans and memory-scraping malware across hundreds of systems at dozens of properties, ultimately pilfering 339 million personal data records. Marriott didn’t detect the breach until September 2018.

The same month it discovered the second Starwood breach, Marriott experienced a breach of its own. Hackers used stolen credentials to access the company’s network and steal guest records for 5.2 million customers, including information associated with its loyalty rewards program.

The agreement includes the implementation of many bread-and-butter cybersecurity best practices, like multifactor authentication, standardized patch and vulnerability management programs and identifying and inventorying IT assets that contain personal data. But it also mandates a broad range of specific practices to better track and respond to data security weaknesses identified through the breaches.

In a separate action, Marriott International also agreed to pay $52 million in fines to settle an investigation brought by 49 states and the District of Columbia over similar data security shortfalls.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

The FTC agreement will require Marriott and Starwood Hotels to perform detailed after-action reports and assessments within 120 days of future breaches that impact personal data, conduct data security training for both IT personnel and employees who have access to such information, and establish formal policies and procedures around logging and monitoring IT assets. There’s also a requirement to investigate suspicious or anomalous activity within 24 hours of detection.  

The hotels’ employees and vendors will be subject to stricter access controls and mandatory multifactor authentication, while the companies will also have to impose broader “least privilege” access policies across the enterprise to further limit their attack surface around personal data.

The companies will also have to implement data minimization procedures, provide justification for the personal information they do collect and provide customers with the means to easily request deletion of their data online. 

After purchasing Starwood in 2015, Marriott became the largest hotelier in the world, with the FTC estimating that the company has more than 7,000 properties and owns one out of every 15 hotel rooms around the world.

That massive market share, along with a series of damaging data breaches over the past decade, have put Marriott under the microscope of federal and state regulators, who have argued that the company’s lack of due diligence, widespread collection of personal customer information and poor security practices directly led to or exacerbated the impact of those breaches.

In a statement, Marriott International said it will continue implementing new data security protocols prescribed in the agreement. While the consent order states that the FTC believes the hotel chain violated the Federal Trade Commission Act, “Marriott makes no admission of liability with respect to the underlying allegations.”