The Federal Trade Commission (FTC) has announced a settlement with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC over data security failures that led to three significant breaches between 2014 and 2020. These breaches affected more than 344 million customers globally.

Under the proposed settlement, Marriott and Starwood are required to implement a comprehensive information security program. This program aims to address charges that inadequate data security measures were responsible for the breaches. Additionally, the companies will offer U.S. customers the option to request deletion of personal information linked to their email addresses or loyalty rewards account numbers. They will also review loyalty rewards accounts upon customer request and restore any stolen loyalty points.

Marriott has agreed to pay a $52 million penalty to 49 states and the District of Columbia as part of a separate settlement addressing similar allegations. The FTC collaborated with these states during the investigation but lacks legal authority to impose civil penalties in this case.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” stated Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

The FTC's complaint alleges that Marriott and Starwood misled consumers by claiming they had reasonable data security measures while failing to implement adequate protections such as password controls, access controls, firewall controls, network segmentation, software updates, network monitoring, and multifactor authentication.

Three major breaches occurred due to these alleged failures. The first breach began in June 2014 and involved payment card information from over 40,000 Starwood customers. It went undetected until November 2015. The second breach started around July 2014 and was not discovered until September 2018; it compromised 339 million Starwood guest account records worldwide. The third breach affected Marriott's own network from September 2018 until February 2020, impacting 5.2 million guest records globally.

The proposed order prohibits Marriott and Starwood from misrepresenting how they handle personal information and requires them to adopt policies on data minimization and provide methods for consumers to request reviews of unauthorized activity in their loyalty accounts.

The FTC's administrative complaint is based on "reason to believe" that laws have been violated and is considered in the public interest. If finalized, violations of this consent order could result in civil penalties up to $51,744 per violation.

Katherine McCarron and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection are leading this matter.

The FTC continues its mission to promote competition while protecting consumers through education about fraud prevention via consumer.ftc.gov or ReportFraud.ftc.gov.