DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Attorney General Tong Co-Leads $52 Million Multistate Settlement with Marriott for Data Breach of Starwood Guest Reservation Database

Posted on October 9, 2024 by Dissent

The following enforcement action was related to FTC action, also announced today, but is a separate settlement with states. The following press release is from Connecticut’s Attorney General:

(Hartford, CT) – Attorney General Tong announced today that a coalition of 50 attorneys general, co-led by Connecticut, has reached a settlement with Marriott International, Inc. as the result of an investigation into a large multi-year data breach of one of its guest reservation databases. The Federal Trade Commission, which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott. Under the settlement with the attorneys general, Marriott has agreed to strengthening its data security practices using a dynamic risk-based approach, provide certain consumer protections, and make a $52 million payment to states. Connecticut will receive $1,992,130.00 from the settlement.

“Companies have an obligation to take reasonable measures to protect consumer data security. Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests. This 50-state settlement, co-led by Connecticut forces a strong system of risk-based protections to guard against ever-evolving threats to cybersecurity. We will continue to work closely with our multistate partners across the country to ensure companies are taking all reasonable precautions to protect our personal information,” said Attorney General Tong.

Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records pertaining to customers in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Shortly after the breach of the Starwood database was announced, a coalition of 50 attorneys general launched a multi-state investigation into the breach. Today’s settlement resolves allegations by the attorneys general that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.

Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:

• Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
• Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
• Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
• Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
• In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
• An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.

These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but it must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers.

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.

Connecticut, Maryland, and Oregon as well as the District of Columbia, Illinois, Louisiana, Massachusetts, North Carolina, and Texas co-led the multistate investigation, assisted by the Executive Committee of Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, and Vermont, and joined by Alaska, Colorado, Delaware, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Mexico, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

Assistant Attorneys General John Neumon, Kileigh Nassau, Jordan Levin, along with Paralegal Specialists Megan Kane and Casey Rybak as well as Deputy Associate Attorney General and Privacy Section Chief Michele Lucan, assisted the Attorney General in this matter.

Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches
Privacy and Security of Student Data (Follow-Up of Audit of NY State Education Department) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.