Marriott settles with FTC over data breaches

WASHINGTON (Reuters) – The U.S. Federal Trade Commission (FTC) announced on Wednesday that it will require Marriott International (NASDAQ: MAR) and its subsidiary Starwood Hotels & Resorts Worldwide (NYSE: HOT) to implement an information security program as part of a settlement regarding multiple data breaches from 2014 to 2020.

The three significant data breaches, which occurred between 2014 and 2020, compromised the personal information of over 344 million customers globally, according to the FTC.

> "Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers," said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. "The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe."

Marriott and Starwood have also agreed to provide U.S. customers with a method to request the deletion of personal information linked to their email address or loyalty rewards account number. Moreover, Marriott will be obligated to review loyalty rewards accounts upon customer request and restore any stolen loyalty points, as stated by the FTC.

In a separate settlement, Marriott has agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations.

> "Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats," Marriott mentioned in a statement following the announcement of the settlement.

The company also noted that, as per the agreements with the FTC and state Attorneys General, Marriott does not admit liability concerning the underlying allegations.

Additionally, Marriott faced a class action lawsuit in London in 2020 from millions of former guests seeking compensation after their personal records were compromised in one of the largest data breaches in history.