Data Breach
Marriott's $52M Settlement: The Cost of Improper Data Handling
A wake-up call for the hospitality industry — how poor cybersecurity and data disposal led to one of the largest data breach settlements.
Hospitality giant Marriott International's recent settlement in October 2024 — worth $52 Million with the Federal Trade Commission (FTC) — is a wake-up call for the hospitality industry. Marriott and its subsidiary Starwood Hotel's poor cybersecurity setup, non-adherence to data minimization principles, and failure to implement reasonable data security led to 3 data breach episodes between 2014 and 2020.
These breaches impacted more than 344 million customers worldwide. Marriott was also fined £18.4 Million by the UK's Information Commissioner's Office (ICO) in 2020 for violating GDPR. The FTC finalized the order on December 20th, 2024.
Warning: Troubles for Marriott might not be over. More investigations could be initiated by regulatory bodies, class action suits could be filed by affected parties, and additional penalties could follow.
The Chronology of Breaches
Marriott acquired Starwood Hotels & Resorts in 2016 for $12.2 Billion, making it a 100% subsidiary. They then took over Starwood's computer network and began integrating systems. However, approximately 4 days after announcing the acquisition, Starwood notified customers of a 14-month long data breach exposing over 40,000 customers' personal data.
Breach #1 - Starwood (Pre-Acquisition)
- • Unprotected admin accounts and weak credentials allowed hackers to install malware
- • Malware accessed customer names, payment information, and more
- • Forensic examination revealed inadequate firewalls, outdated software, no MFA, and weak access controls
Breach #2 - Starwood (Post-Acquisition)
- • Marriott failed to detect the existing intrusion in Starwood's network for almost two years
- • 339 million customers' personal data leaked including names, DOB, addresses, emails, loyalty program info, and payment details
- • Same root causes: inadequate firewalls, unencrypted payment data, insecure storage
Breach #3 - Marriott's Own Network
- • In 2020, malicious actors gained access using compromised credentials of franchised property employees
- • Intrusion continued until discovered in February 2022
- • 5.2 million guest records accessed, including 1.8 million US customers
Root Causes Identified by FTC
The FTC complaint severely criticized Marriott's Information Security practices, stating they "failed to provide reasonable or appropriate security for the personal information collected and maintained."
Weak Password Policy
Employees allowed to use weak, default, or blank passwords
Outdated Software
Failed to regularly update patches; used unsupported systems
No Network Monitoring
Could not distinguish between authorized and unauthorized activity
Inappropriate Access Controls
Ex-employee accounts not deactivated timely
Weak Firewalls
Failed to block unauthorized network intrusions
No Network Segregation
Hackers could roam freely between hotel and corporate networks
No Multifactor Authentication
Sensitive data and payment systems lacked MFA
Data Minimization Overlooked
Excessive data retention amplified breach magnitude
Key Settlement Provisions
Apart from monetary fines, the settlement requires Marriott to strengthen cybersecurity practices:
Transparency Requirements
Must clearly inform customers how personal information is collected, stored, processed, deleted, and shared. Must accurately inform about security measures implemented.
Information Security Program
Must document, implement, and maintain an annually assessed security program with data access controls, strong password policies, least privilege principles, incident response plans, and regular security reporting to top management including the CEO.
Asset Inventory & Data Erasure
Must inventorize and classify IT assets containing personal data. When any device leaves company control, sensitive data must be erased, encrypted, or the device destroyed.
Data Minimization & Disposal
Must implement data minimization and disposal policies so less data is collected and retained.
Third-Party Assessments
The Information Security Program must be assessed by a third party every two years for a period of 20 years.
Customer Data Deletion
Must provide customers with a clear and explicit link on their website and mobile application to request deletion of their personal data.
A Wake-Up Call for the Industry
The hospitality industry spans multiple geographies, each with local, state, and federal data privacy laws. Complying with them can be daunting, but the basic premise is to ensure the security of confidential data and allow customers control over how their personal data is collected, stored, processed, and disposed.
Using professional data wiping tools like D-Secure can help the hospitality industry erase sensitive data beyond recovery, eliminating data leakage chances and staying compliant with EU-GDPR, CCPA, FTC, and other state laws.
As data security gains more prominence, these types of incidents will keep happening unless proactive action is taken. It doesn't matter what size your organization is — data privacy is your moral, legal, and ethical responsibility.
Frequently Asked Questions
Comments (0)
Your email address will not be published. Providing an email is optional.
Have Questions About This Topic?
Send us an enquiry regarding: Marriott Settlement
Don't Become the Next Data Breach Headline
Implement proper data disposal practices with D-Secure to prevent costly settlements and protect your customers' trust.
No comments yet. Be the first to comment.