Marriott International has taken significant steps to enhance its information security protocols in light of a series of data breaches that collectively impacted approximately 344 million individuals globally between 2014 and 2020. The Federal Trade Commission (FTC) announced the proposed settlement on Wednesday, which includes commitments from Marriott to improve its cybersecurity measures to address the concerns raised by these incidents.
As part of the agreement, Marriott will offer U.S. customers a straightforward method to request the deletion of their personal information. In conjunction with this initiative, the company also agreed to pay $52 million to 49 states and the District of Columbia to settle allegations of data security violations related to similar breaches. Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, criticized Marriott’s inadequate security practices, which led to substantial breaches impacting millions of customers. The FTC, alongside multiple state officials, conducted a thorough investigation into these security lapses.
Marriott has indicated that many of the data privacy enhancements stipulated in the settlements have either been implemented or are in progress. The company emphasized it does not admit liability concerning the underlying allegations, asserting that these resolutions are a reflection of its commitment to cybersecurity—a field in which it continues to make significant investments aimed at identifying and managing risks tied to evolving threats.
This series of settlements concludes an unsettling decade for Marriott, characterized by severe data breaches involving its subsidiary, Starwood Hotels and Resorts Worldwide. The initial breach traces back to June 2014, and it remained undetected for over a year, leading to the exposure of the payment card details of more than 40,000 customers shortly after Marriott disclosed plans to acquire the company in November 2015. Another significant breach began in July 2014 and compromised the reservation system of Starwood, resulting in the exposure of 339 million customer records. Alarmingly, this breach went unnoticed for nearly four years, highlighting critical weaknesses in the company’s cybersecurity defenses.
In March 2020, an additional breach affected up to 5.2 million guests when account details were exposed. This incident remained undetected for an extended time, spanning September 2018 to February 2020. Furthermore, Marriott fell victim to a social engineering attack in 2022, which revealed non-sensitive internal operational files, though this incident was not associated with the recent settlements.
The FTC has alleged that Marriott and its subsidiary misled consumers regarding their data security measures, claiming to maintain reasonable and appropriate security protocols. According to the agency’s findings, both entities failed to implement essential security controls, including proper password management, access and firewall controls, and network segmentation. The failure to timely patch outdated software and systems was also noted, as well as deficiencies in logging, monitoring, and deploying adequate multifactor authentication.
As a part of the settlement terms, Marriott is required to maintain a comprehensive information security program and will be subject to yearly compliance certifications with the FTC for the next two decades. Additionally, the company must undergo third-party evaluations of its security measures every two years, ensuring ongoing oversight of its cybersecurity practices.
For business owners, this incident reinforces the importance of robust cybersecurity frameworks, particularly the need to understand potential attack vectors as outlined in the MITRE ATT&CK Matrix. Tactics such as initial access and persistence are critical considerations for organizations seeking to mitigate risks. The breaches at Marriott highlight vulnerabilities that can be exploited if adequate security measures are not implemented and continually updated in response to the evolving threat landscape.
