Marriott agrees to pay $52 million settlement, improve data security practices | CyberScoop<\/title> <meta name=\"description\" content=\"The actions will settle federal and state investigations into security failures that led to overlapping data breaches affecting hundreds of millions of customers dating back to 2014.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/marriott-starwood-breach-ftc-settlement-data-security\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Marriott agrees to pay $52 million settlement, improve data security practices \"> <meta property=\"og:description\" content=\"The actions will settle federal and state investigations into security failures that led to overlapping data breaches affecting hundreds of millions of customers dating back to 2014.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/marriott-starwood-breach-ftc-settlement-data-security\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-10T18:14:24+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-10T18:14:25+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1725982252g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1725466133g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1728570921g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82084\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82084\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmarriott-starwood-breach-ftc-settlement-data-security%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmarriott-starwood-breach-ftc-settlement-data-security%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82084 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/marriott-starwood-breach-ftc-settlement-data-security\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.411684782609\">\n<div class=\"single-article__header-content\" readability=\"29.532608695652\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The actions will settle investigations into security failures that led to overlapping data breaches affecting hundreds of millions of customers. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg 3008w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=300,199 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=1024,681 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=1536,1021 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=2048,1362 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=253,168 253w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=507,337 507w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=1015,675 1015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-2.jpg?resize=1268,843 1268w\" sizes=\"(max-width: 1015px) 100vw, 1015px\"><figcaption> The Marriott Downtown Orlando hotel on March 8, 2006. (Photo by Julia Beverly\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"49.840887806705\"><body readability=\"100.31770833333\"><\/p>\n<p>Marriott International and its subsidiary Starwood Hotels and Resorts have agreed to a settlement with the federal and state authorities over three separate data breaches between 2014 and 2020.<\/p>\n<p>In a 16-page proposed <a href=\"https:\/\/www.ftc.gov\/system\/files\/ftc_gov\/pdf\/1923022marriottacco.pdf\">consent order<\/a> with the Federal Trade Commission, the hotel chains agreed to a series of compulsory actions to improve the way they handle, store and protect personal customer data.<\/p>\n<p>In 2015, just days after announcing it was being acquired by Marriott, Starwood disclosed a 14-month-long data breach. According to the FTC\u2019s <a href=\"https:\/\/www.ftc.gov\/system\/files\/ftc_gov\/pdf\/1923022marriottcomplaint.pdf\">complaint<\/a>, a malicious hacker took advantage of \u201cinadequate firewalls and network segmentation, inadequate access controls, the use of outdated and unsupported software, and the lack of multifactor authentication\u201d to install malware on the networks of more than 100 properties and steal consumer payment card information.<\/p>\n<p>Despite knowing that Starwood\u2019s networks had been compromised and conducting a 10-month assessment of their information security program before closing the acquisition, Marriott missed another, much larger ongoing breach.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In June 2014, another malicious actor had compromised one of Starwood\u2019s public-facing web servers, using that access to once again steal administrative credentials and <a href=\"https:\/\/cyberscoop.com\/marriott-data-breach-starwood-hotels-gdpr\/\">lurk in Starwood corporate networks<\/a> for more than four years. The threat actors installed keyloggers, remote access trojans and memory-scraping malware across hundreds of systems at dozens of properties, ultimately pilfering 339 million personal data records. Marriott didn\u2019t detect the breach until September 2018.<\/p>\n<p>The same month it discovered the second Starwood breach, Marriott experienced a breach of its own. Hackers used stolen credentials to access the company\u2019s network and <a href=\"https:\/\/cyberscoop.com\/marriott-data-breach-2020\/\">steal guest records for 5.2 million customers<\/a>, including information associated with its loyalty rewards program.<\/p>\n<p>The agreement includes the implementation of many bread-and-butter cybersecurity best practices, like multifactor authentication, standardized patch and vulnerability management programs and identifying and inventorying IT assets that contain personal data. But it also mandates a broad range of specific practices to better track and respond to data security weaknesses identified through the breaches.<\/p>\n<p>In a separate action, Marriott International also agreed to pay $52 million in fines to <a href=\"https:\/\/portal.ct.gov\/ag\/press-releases\/2024-press-releases\/multistate-settlement-with-marriott-for-data-breach-of-starwood-guest-reservation-database\">settle an investigation<\/a> brought by 49 states and the District of Columbia over similar data security shortfalls.<\/p>\n<p>\u201cMarriott\u2019s poor security practices led to multiple breaches affecting hundreds of millions of customers,\u201d Samuel Levine, director of the FTC\u2019s Bureau of Consumer Protection, said in a statement. \u201cThe FTC\u2019s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The FTC agreement will require Marriott and Starwood Hotels to perform detailed after-action reports and assessments within 120 days of future breaches that impact personal data, conduct data security training for both IT personnel and employees who have access to such information, and establish formal policies and procedures around logging and monitoring IT assets. There\u2019s also a requirement to investigate suspicious or anomalous activity within 24 hours of detection. <\/p>\n<p>The hotels\u2019 employees and vendors will be subject to stricter access controls and mandatory multifactor authentication, while the companies will also have to impose broader \u201cleast privilege\u201d access policies across the enterprise to further limit their attack surface around personal data.<\/p>\n<p>The companies will also have to implement data minimization procedures, provide justification for the personal information they do collect and provide customers with the means to easily request deletion of their data online. <\/p>\n<p>After purchasing Starwood in 2015, Marriott became the largest hotelier in the world, with the FTC estimating that the company has more than 7,000 properties and owns one out of every 15 hotel rooms around the world.<\/p>\n<p>That massive market share, along with a series of damaging data breaches over the past decade, have put Marriott under the microscope of federal and state regulators, who have argued that the company\u2019s lack of due diligence, widespread collection of personal customer information and poor security practices directly led to or exacerbated the impact of those breaches.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In a statement, Marriott International said it will continue implementing new data security protocols prescribed in the agreement. While the consent order states that the FTC believes the hotel chain violated the Federal Trade Commission Act, \u201cMarriott makes no admission of liability with respect to the underlying allegations.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6505576208178\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/marriott-starwood-breach-ftc-settlement-data-security\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Marriott agrees to pay $52 million settlement, improve data security<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,440,77,575,2865,2793],"tags":[86,444,85,577,2866,2794],"class_list":["post-5723","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-data-breaches","category-data-security","category-ftc","category-marriott","category-regulators","tag-cybersecurity","tag-data-breaches","tag-data-security","tag-ftc","tag-marriott","tag-regulators"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-security\/\" rel=\"category tag\">Data Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ftc\/\" rel=\"category tag\">FTC<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/marriott\/\" rel=\"category tag\">Marriott<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/regulators\/\" rel=\"category tag\">regulators<\/a>","tag_info":"regulators","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5723"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5723\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5723,"date":"2024-10-10T13:14:24","date_gmt":"2024-10-10T18:14:24","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82084"},"modified":"2024-10-10T13:14:24","modified_gmt":"2024-10-10T18:14:24","slug":"marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/10\/marriott-agrees-to-pay-52-million-settlement-improve-data-security-practices\/","title":{"rendered":"Marriott agrees to pay $52 million settlement, improve data security practices\u00a0"},"content":{"rendered":"