Global hotel giant Marriott International agreed to pay $52 million and strengthen its data security practices in settlements between the company, the Federal Trade Commission (FTC), 49 states and the District of Columbia (D.C.). The settlement will be split and distributed among the states and is the result of an FTC investigation into data breaches from Marriott subsidiary Starwood Hotels & Resorts Worldwide. Marriott acquired Starwood Hotels in 2016 for $13.6 billion.
The FTC claims that between 2014 and 2020, Marriott was hit with three cybersecurity breaches, exposing the personal data of 500 million customers globally, including 132 million living in the U.S. In September 2018, Marriott detected an unauthorized attempt to access the Starwood guest reservation database, ultimately determining that the security failure had occurred in 2014, prior to Marriott acquiring Starwood.
The company publicly announced the breach, which resulted in contact information, birthdates, credit card information and unencrypted passwords being exposed, including American passport numbers, three months later. The FBI led an investigation into the data theft, with investigators suspecting the hackers were working on behalf of the Chinese Ministry of State Security.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
Marriott said in a press release that it admits no liability for the data breaches, opting instead to resolve the issue by paying the $52 million fine and committing to work to continue to enhance its data privacy and security programs.
“Protecting guests’ personal data remains a top priority for Marriott,” the company said in a press release. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify and manage risks from evolving cybersecurity threats.”
However, many cybersecurity experts say that the fines imposed on Marriott are simply a slap on the wrist and provide no real negative repercussions that would force the company to make significant changes. Some pointed out that the $52 million fine represents just 1.6% of the hospitality giant’s $3.08 billion in profits earned last year. However, the company has also faced additional fines abroad, with the United Kingdom’s Information Commissioner’s Office fining Marriott $23.8 million for the breach in 2023. Additionally, Marriott has faced recovery expenses, legal penalties and an overall reputational hit from the allegations.
