Marriott hotel entrance showing FTC settlement for data breaches

Marriott Data Breaches Result in a $52 Million FTC Settlement

The world’s largest hotelier Marriott International has approved a $52 million FTC settlement to conclude an investigation into over half a decade of data breaches that rocked the hotel franchise.

With over 30 hotel brands, Marriott and its franchises manage over 7,000 properties in the United States and more in over 130 countries. The hotel giant acquired Starwood in 2016 for $13 billion, taking over its Westin, W Hotels, and St. Regis properties.

However, its cybersecurity practices have lagged behind its monumental growth, resulting in three massive data breaches between 2014 and 2020 that affected at least 334 million individuals.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” stated Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

The FTC cited poor network segmentation, inadequate firewalls, monitoring and access controls, outdated and unsupported software, lack of two-factor authentication, and unencrypted payment card information, as some of the data breach causes.

Marriott and Starwood data breaches

Shortly after acquiring Starwood, Marriott disclosed a 14-month-long data breach known as the “First Breach” across 100 Starwood properties. The breach stemmed from a threat actor exploiting compromised credentials and unprotected administrative accounts to install malware and access customer information including payment card information.

In September 2018, the hotel giant discovered another four-year-long “Second Breach” that it had failed to detect after taking over Starwood properties. Since June 2014, a threat actor installed keyloggers, remote access trojans, and memory scrapers, in over 480 systems across 58 locations to exfiltrate 339 million personal data records.

“Despite having responsibility for Starwood’s information security practices and network following the acquisition, Marriott failed to identify an ongoing breach within the Starwood network.” – FTC.

In March 2020, Marriott disclosed a “Third Breach” in which a threat actor compromised an employee’s credentials to breach its network several times between September 2018 and February 2020. The Third Breach aimed to steal loyalty points and affected 5.2 million guest records.

Marriott violated the FTC regulations

In October 2024, the Federal Trade Commission (FTC) announced action against Marriott and its subsidiary Starwood for failing to implement security measures to protect personal data.

The FTC accused the hotel chain of making deceptive information security statements on the Marriott and Starwood booking websites by claiming that appropriate safeguards were in place to protect personal information.

However, the Commission found those statements to be “false or misleading” as the “Respondents did not use appropriate safeguards to protect consumers’ personal information.”

“The acts and practices of Respondents, as alleged in this Complaint, constitute unfair or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act.”

Marriott and Starwood agree to a $52 million FTC settlement

The approved FTC settlement requires Marriott and Starwood to pay $52 million in 49 states and the District of Columbia to settle claims related to the data breaches.

The Bethesda, Maryland-based franchise also faces a class action lawsuit in the United Kingdom related to the 2020 data breach.

The FTC settlement could pave the way for more regulatory actions in other jurisdictions since the data breaches affected international guests.

A separate FTC settlement also requires the hotel chain to implement a robust information security program to prevent similar data breaches in the future.

This includes implementing stricter access controls for employees and vendors, robust monitoring and logging procedures for IT assets, implementing multi-factor authentication, training data and security personnel, and hardening operating systems.

In addition, the FTC settlement demands that the hotel chain investigate suspicious activity within 24 hours and provide assessments and reports for future data breaches within 120 days.

As part of data minimization and disposal requirements, the FTC settlement also requires the hotelier to allow customers to delete personal information, regardless of whether consumers have that right under state law.

Over 20 years, a third party will assess the information security program every two years and certify compliance with the FTC.

However, the FTC settlement absolved the hotel chain of any responsibility for failing to stop the data breaches.

“Marriott makes no admission of liability with respect to the underlying allegations,” the franchise responded.

“The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe,” Levine added.