As a result of three large data breaches between 2014 and 2020, Marriott International has reached a settlement agreement with the Federal Trade Commission, under which the hotel company must overhaul its data-security practices.
Marriott must "implement a comprehensive security program" and address vulnerabilities that the FTC said led to three significant breaches between 2014 and 2020.
According to the FTC, the data breaches impacted more than 344 million customers worldwide. The most severe incident, which began in 2014 and was detected in 2018, compromised an estimated 339 million Starwood guest records and 5.25 million unencrypted passport numbers. (Marriott acquired Starwood in 2016, making Marriott responsible for Starwood's data-security practices).
The FTC's complaint alleges that despite claiming to have "reasonable and appropriate data security," Marriott and Starwood failed to implement adequate measures, including proper password controls and timely software updates.
Under the settlement terms, Marriott must establish a data-minimization policy, retaining personal information only as long as necessary. The company is also required to provide U.S. customers with a method to request deletion of their personal information.
Additionally, Marriott will review loyalty rewards accounts upon request and restore any stolen points.
The settlement mandates that Marriott undergo an independent, third-party assessment every two years for the next two decades as well as certify compliance to the FTC annually.
As part of a separate settlement, Marriott has concurrently agreed to pay $52 million to 49 states and the District of Columbia to resolve similar allegations.
Marriott manages and franchises more than 7,000 properties globally.