Marriott International and its Starwood Hotels & Resorts Worldwide subsidiary will put in place a "robust" new data security program to settle charges that its poor security practices led to a trio of data breaches that affected more than 344 million of its customers, the US Federal Trade Commission said Wednesday.
As part of the proposed settlement order with the FTC (PDF), the hotel chain also agreed to give US consumers a way to request deletion of personal data tied to their email address or loyalty rewards account number. Marriott also will be required to review loyalty rewards accounts upon customer request and restore stolen loyalty points.
The data breaches, which took place between 2014 and 2020, included a massive theft detected in November 2018 where cybercriminals breached Starwood's reservation database, compromising 339 million customer accounts and stealing 5.25 million passport numbers.
Customer data exposed in the other breaches included names, addresses, emails, payment card information, phone numbers and birthdays as well as loyalty account details and information like room preferences.
In addition, under a separate settlement also announced Wednesday, Marriott agreed to pay a combined $52 million to 49 states and the District of Columbia to settle similar charges. The FTC does not have legal authority to impose civil penalties in the case.
"Marriott's poor security practices led to multiple breaches affecting hundreds of millions of customers," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement. "The FTC's action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe."
Marriott said in a Wednesday statement that many of the security and privacy requirements being imposed by the FTC have already been put in place or are in progress.
"Protecting guests' personal data remains a top priority for Marriott," the company said. "These resolutions reaffirm the company's continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify and manage risks from evolving cybersecurity threats."
In its proposed complaint, the FTC charges that Marriott and Starwood didn't do enough to protect their customers' data from online thieves. Specifically, the FTC says that among other failures, they didn't put in place adequate password, access and firewall controls.
The FTC also says the companies didn't properly segment their network systems, which would have helped protect data in the event of a breach. And they didn't patch outdated software and systems, or put in place adequate multifactor authentication.
Those lax practices combined allowed cybercriminals to breach the systems and steal massive amounts of customer data, the FTC says.
The commission voted 3-0 with two members abstaining to issue the administrative complaint and to accept the proposed consent agreement. The agreement will be published in the Federal Register and subject to public comment for 30 days. After that period, the commission will decide whether to make the proposed consent order final.