New Hampshire gets piece of $52 million Marriott settlement

Share the Ink Link love
Marriott International Inc. has reached a $52 settlement for series of data breaches that with the FederalTrade Commission and 49 states, including New Hampshire. Pictured, the Residence Inn by Marriott in Nashua, one of more than 30 properties the company has in the state. Residence Inn by Marriott Photo

New Hampshire will get $432,288 as part of a $52 million settlement that the Federal Trade Commission and attorneys general from across the country have reached with Marriott International Inc. related to a series of data breaches between 2014 and 2020.

New Hampshire Attorney General John M. Formella joined 50 attorneys general as part of the investigation that led to the settlement.

“Today marks a significant step forward in safeguarding the personal information of consumers across New Hampshire and the nation,” Formella said in a news release. “This serious data breach compromised the sensitive information of millions of Marriott’s customers.”

The money received from thes settlement will be deposited into the consumer protection escrow fund, according to the AG’s office.

As part of the settlement, the FTC will require the company to implement “a robust information security program” to settle charges that the its failure to implement reasonable data security led to three data breaches between 2014 and 2020 that affected more than 344 million customers, according to the FTC.

Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries, including more than 30 in New Hampshire.

Formella said that his office will “continue to work diligently to ensure that companies prioritize the security of consumer information and are held accountable when they fall short.”

Marriott acquired Starwood Hotels and Resorts Worldwide in 2016 and took control of the Starwood computer network in 2016. From July 2014 until September 2018, intruders in the system went undetected, leading to the breach. After Marriott acquired Starwood, it was responsible for the data security practices of both brands.

“Today’s settlement resolves allegations by the attorneys general that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems,” Formella said.

The first breach began in June 2014 involving payment card information of more than 40,000 Starwood customers, according to the FTC. The breach went undetected for 14 months until Starwood notified customers in November 2015, four days after Marriott announced it was acquiring Starwood.

The second breach began around July 2014 and went undetected until September 2018. “During that time, malicious actors accessed 339 million Starwood guest account records worldwide, including 5.25 million unencrypted passport numbers,” according to FTC.

The third breach, which went undetected from September 2018 until February 2020, affected Marriott’s own network. Malicious actors accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. The compromised records contained significant amounts of personal information, including names, mailing addresses, email addresses, phone numbers, month and day of birth, and loyalty account information.

Over the three breaches, records affected also included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Marriott and Starwood also agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number.  In addition, the proposed settlement requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

The settlement includes 49 states and the District of Columbia. The attorneys general worked with the FTC on the monetary settlement because the federal agency doesn’t have the legal authority to go after monetary compensation in this case, according to the FTC.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Some of the specific measures include:

  • Implementation of a comprehensive Information Security Program, including incorporating zero-trust principles, regular security reporting to the highest levels within the company, and enhanced employee training on data handling and security.
  • Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
  • Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
  • Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
  • In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
  • An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.