By Hank Russell
New York Attorney General Letitia James announced on October 9 a $52 million multistate settlement with Marriott International, Inc. (Marriott) over a multi-year data breach of one of its guest reservation databases. An investigation found that one of Marriott’s subsidiaries, Starwood Hotels and Resorts Worldwide, had intruders in its system for four years without getting detected, leading to a data breach that millions of customers nationwide, including those in New York. James also announced the state will receive $2.29 million from the nationwide settlement.
Starwood operates hundreds of hotels nationwide, including hotels in New York. Marriott acquired Starwood in 2016 and took control of its computer network and databases. Marriott operates hotels in the following Long Island locations. Islip, Hauppauge, Holtsville, Medford, Brookhaven, Melville, Farmingdale, Riverhead, Westbury, Uniondale and Garden City.
According to the investigation, from July 2014 to September 2018, intruders accessed and stayed on Starwood’s databases undetected for years. This intrusion led to the breach of 131.5 million customers’ personal information. The theft impacted people nationwide and exposed personal information, including contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Today’s settlement requires Marriott to significantly strengthen and continually improve its cybersecurity practices. Some of the specific measures include:
- an independent third-party assessment of Marriott’s information security program every two years for a period of 20 years
- data minimization and disposal requirements, which will lead to less customer data being collected and retained
- implementation of a comprehensive Information Security Program, including regular security reporting to the highest levels within the company, including the chief executive officer, and enhanced employee training on data handling and security
- increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers
In the future, if Marriott acquires another entity, it must promptly assess the acquired entity’s information security program and develop plans to address deficiencies as part of the integration into Marriott’s network.
As part of the settlement, Marriott will allow customers to delete their data that is stored with the hotel if they wish to do so. Marriott must also offer multi-factor authentication to customers for their loyalty rewards accounts, such as Marriott Bonvoy, and conduct reviews of those accounts to ensure there is no suspicious activity.
“When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen,” James said. “Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies. I am proud to stand with my fellow attorneys general to hold Marriott accountable and to protect customers.”
That same day, Marriott issued a press release announcing that it had settled with all the states’ attorneys general. “Protecting guests’ personal data remains a top priority for Marriott,” the Bethesda, Maryland-based chain said in a statement. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.