FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches

The Federal Trade Commission will require Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program to settle charges that the companies’ failure to implement reasonable data security led to three large data breaches from 2014 to 2020 impacting more than 344 million customers worldwide.

In a proposed settlement order with the FTC announced today, Marriott and Starwood also agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number.  In addition, the proposed settlement requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

Under a separate settlement also announced today, Marriott also agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations. The FTC and the states worked in parallel on the investigation. The FTC does not have legal authority to obtain civil penalties in this case.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Marriott and Starwood’s Security Failures

Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries. After Marriott acquired Starwood in 2016, it was responsible for the data security practices of both brands.

In a proposed complaint, the FTC says that Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Specifically, the proposed complaint alleges that Marriott and Starwood failed to: implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; and deploy adequate multifactor authentication.

The FTC alleged that security failures by Marriott and Starwood resulted in at least three separate data breaches wherein malicious actors obtained the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information from hundreds of millions of consumers, according to the proposed complaint.

The first breach began in June 2014 involving payment card information of more than 40,000 Starwood customers, according to the proposed complaint. The breach went undetected for 14 months until Starwood notified customers in November 2015, just four days after Marriott announced it was acquiring Starwood.

The second breach began around July 2014 and went undetected until September 2018. During that time, malicious actors accessed 339 million Starwood guest account records worldwide, including 5.25 million unencrypted passport numbers.

The third breach, which went undetected from September 2018 until February 2020, impacted Marriott’s own network. Malicious actors accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. The compromised records contained significant amounts of personal information, including names, mailing addresses, email addresses, phone numbers, month and day of birth, and loyalty account information.

Settlement Requirements

Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information. Other provisions of the proposed order include:

• Data Minimization: The companies must implement a policy to retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and specific business need for retaining it.
• Comprehensive Information Security Program: Marriott and Starwood are required to establish, implement and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.
• Loyalty Rewards Program Account Review: The companies must provide a method for consumers to request review of unauthorized activity in their Marriott Bonvoy loyalty rewards accounts and Marriott must restore any loyalty points stolen by malicious actors.
• Data Deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.

The Commission voted 3-0-2 to issue the administrative complaint and to accept the proposed consent agreement. Commissioners Melissa Holyoak and Andrew Ferguson were recused from this matter.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staff attorneys on this matter are Katherine McCarron and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection.