Marriott International entered into a $52 million settlement with the U.S. Federal Trade Commission (FTC) to resolve allegations stemming from a massive data breach that affected millions of guests. The breach, which occurred between 2014 and 2018, involved the exposure of sensitive customer information, including names, passport numbers, credit card details, and reservation information.
The data breach originated in 2014 when hackers infiltrated the Starwood reservation system, a property Marriott acquired in 2016. The attackers gained unauthorized access to the system and stole personal information of approximately 327 million guests.
With more than 30 hotel brands, Marriott and its franchises manage more than 7,000 properties in the United States and more in 130 countries. The hotel giant acquired Starwood in 2016 for $13 billion, taking over its Westin, W Hotels, and St. Regis properties.
Marriott acknowledged the breach in 2018, after discovering it in September of that year. The company took immediate steps to contain the damage, including notifying affected customers, freezing compromised accounts, and working with law enforcement to investigate the incident.
"I think this settlement really underscores the need for a cybersecurity/forensic review when acquiring a company," said Richard Halm, Sr. Attorney, Clark Hill PLC. "One of the underrated aspects of these incidents is that the initial compromise of the Starwood reservation system occurred before it was acquired, but was ongoing through and after the acquisition. The FTC's statement specifically says not to forget that along with 'good stuff,' that 'you're also buying the problems, like vulnerabilities, misconfigurations, and other security issues that may exist.'"
The FTC launched an investigation into the breach, focusing on Marriott's cybersecurity practices and response to the incident.
The commission accused the hotel chain of making deceptive information security statements on the Marriott and Starwood booking websites by claiming that appropriate safeguards were in place to protect personal information. In statements, the FTC said it found those statements to be "false or misleading" as the "Respondents did not use appropriate safeguards to protect consumers' personal information."
"The acts and practices of Respondents, as alleged in this Complaint, constitute unfair or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act."
As part of the settlement, Marriott agreed to pay the $52 million civil penalty to the FTC. Additionally, the company committed to implementing a comprehensive cybersecurity program to prevent future breaches.
The Marriott data breach serves as a reminder of the importance of robust cybersecurity measures, as even large, well-established companies can be vulnerable to cyberattacks.
"Customer data is one of the most important factors of customer experience. As such, a first class brand like Marriot and other major brands should take the necessary means and precautions to minimize the risk of the data being leaked. Personal data today can be used for ad targeting to voting decisions and can be even weaponized to nation-state acts and by targeting individuals according to their personal data," said Rinat Villeval, Head of Technical Services at XM Cyber. "For this specific breach that happened during a period of four years, I would also add regular threat hunting activities. If a breach already happened, the company should know about it ASAP, which could minimize the impact of the size of the data that was already exposed."
Key takeaways for businesses:
"Mergers and acquisitions can have adverse impacts on acquiring companies if they are unaware of the unmitigated risks in the systems they are acquiring," said Piyush Pandey, CEO at Pathlock. "For this reason, it is critical to have an identity governance and administration system that identifies access and separation of duties risks, while at the same time, continuously monitor for actual violations of business process rules and IT general controls. This approach could have dramatically reduced the amount of dwell time the attackers had to exfiltrate data."
The Bethesda, Maryland-based franchise also faces a class action lawsuit in the United Kingdom related to the 2020 data breach.
The FTC settlement could pave the way for more regulatory actions in other jurisdictions since the data breaches affected international guests.
Further, the settlement absolves the hotel chain of any responsibility for failing to stop the data breaches.
"Marriott makes no admission of liability with respect to the underlying allegations," the franchise responded.
"The Marriott settlement draws a line in the sand for what constitutes 'reasonable data security'—a standard that will likely be used as a test in future litigation and regulatory actions," said Claude Mandy, Chief Evangelist, Data Security, at Symmetry Systems. "The settlement underscores the fundamental data security practices that organizations must prioritize: reducing access, conducting comprehensive asset inventories of their data, logging and monitoring of file and user movement, implementing multi-factor authentication (MFA), and minimizing and disposal of data. These are precisely the issues that Data Security Posture Management (DSPM) tools help organizations tackle."