Marriott Gets $52 Million Slap On Wrist For Security Breaches Due To ‘Lax Security’

Marriott continues to pay for its past cybersecurity sins. On Wednesday, in two separate settlements, the hospitality giant was taken to task by the Federal Trade Commission (FTC) and a coalition of states for failing to adequately protect customers’ personal data over the past decade.

Between 2014 and 2020, Marriott was hit with three high-profile cybersecurity breaches. The largest stemmed from the company’s $13.6 billion acquisition of Starwood Hotels in 2016. In September 2018, Marriott detected an unauthorized attempt to access the Starwood guest reservation database and subsequently determined that the security failure had occurred in 2014, prior to the acquisition. The company publicly announced the breach two months later.

That breach exposed the personal data—including contact information, birthdates and credit card information—of 500 million customers globally, including 132 million living in the U.S.. Roughly 5 million unencrypted passports were also exposed, including 663,000 American passports.

On Wednesday, a coalition of 50 attorneys general announced a settlement in which Marriott has agreed to strengthen its data security practices and make a $52 million payment to be distributed among states.

“Companies have an obligation to take reasonable measures to protect consumer data security,” said William Tong, Connecticut Attorney General. “Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests.”

But while $52 million is a significant number on its face, the sum represents just 1.6% of the hospitality giant’s $3.08 billion profits earned in fiscal year 2023.

Since announcing the Starwood breach in 2018, the fallout for Marriott has been significant. The company has faced recovery expenses, legal penalties, and ongoing reputational damages. But one could argue that governments around the world have largely let Marriott off the hook.

In 2020, the United Kingdom’s Information Commissioner’s Office fined Marriott $23.8 million for the breach—a full $100 million less than the $123 million penalty originally proposed.

The wheels of accountability have moved more slowly in the United States. In 2019, Marriott CEO Arne Sorenson testified before a U.S. Senate subcommittee that Marriott deeply regretted the incident and was committed to enhancing security measures to protect against future attacks. As luck would have it, he was testifying alongside the CEO of Equifax, whose explanation of his company’s massive 2017 breach made Marriott look good by comparison. Marriott’s breach did “not appear to have been caused by the same cultural indifference to cybersecurity the record indicates existed at Equifax, rather, it looks like Marriott inherited this breach from Starwood,” said Sen. Tom Carper (D-Del.).

Also on Wednesday, the FTC issued a proposed settlement order that announced Marriott and Starwood had agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number. In addition, Marriott is required to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Historically, companies have a terrible track record of not safeguarding customer data and of not alerting the public immediately after discovering data breaches. Marriott waited nearly three months before going public. DoorDash waited four months to announce that hackers had stolen data from 4.9 million customers, delivery workers and merchants. Uber waited over a year before telling the public about a breach that affected 57 million customers.

“It really speaks to an endemic problem inside of modern corporations that they’re not handling users’ data well,” Max Eddy, a cybersecurity expert who currently writes for Wirecutter, told Forbes back in 2019. “Since there have been no real costs associated with these data breaches, these companies have no incentive to change their behavior.”

“Protecting guests’ personal data remains a top priority for Marriott,” the company said in a statement released Wednesday. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”