Marriott paying $52 million for data breach that affected millions

Millions of Marriott guests were affected by the data breaches, which disclosed valuable personal information including account numbers. (c) ConsumerAffairs

Customers' confidential data was stolen; company required to make changes

Marriott, the hotel company, is paying $52 million because it didn't protect its customers' information very well. Hackers were able to steal personal information like names, addresses, and even passport numbers from millions of people.

What Marriott did wrong

  • Didn't have strong enough security: They didn't have the right tools and practices in place to keep hackers out.
  • Didn't realize they were being hacked: They didn't notice the hackers for years.

What happens now

  • Marriott has to pay a big fine: $52 million will be split between states, with New Jersey getting over $1.3 million.
  • Marriott has to improve its security: They have to do a lot of things to make sure this doesn't happen again, like hiring experts and using better technology.

50 states involved

Attorneys general from all 50 states helped prosecute the case. The Federal Trade Commission pursued a federal case as well. 

“When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen,” said New York Attorney General Letitia James.

“Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies."

The states allege that Marriott violated data breach laws and consumer protection laws by misrepresenting the ways in which it protected consumers’ personal information and failed to use adequate cybersecurity safeguards to protect that information.

The first breach began in 2014, when an unauthorized third-party installed malware and gained access to the guest reservation database of Starwood Hotels and Resorts Worldwide. In 2016, Marriott purchased Starwood and took control of its computer network.

Unbeknownst to Marriott, between 2014 and 2018, the intruders went undetected in the Starwood network and continued to perform reconnaissance activities and gain access to highly privileged Starwood administrative and user credentials.

The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

After becoming aware of the breach in September 2018, Marriott disclosed the 2014 data breach on November 30, 2018. A forensic examination of Starwood’s systems revealed several failures.

These failures included inadequate firewall controls, unencrypted payment card information stored outside of the secure cardholder data environment, lack of multifactor authentication, and inadequate monitoring and logging practices.

About 131.5 million Americans were impacted by the data breach.

A second incident

In a second incident, intruders were allegedly able to compromise the credentials of employees at a Marriott-franchised property to gain access to Marriott’s own network for a period of several months. These attackers began accessing and exporting consumers’ personal information without detection from September 2018 to December 2018.

The breach resumed in January 2020 and continued until it was discovered the next month.

Over the course of the two time periods, the intruders gained access to over 5.2 million guest records, including 1.8 million records related to U.S. consumers. The records contained significant amounts of personal information.

Marriott announced the discovery of this second incident in March 2020.