Colorado to receive $822,434 from nationwide Marriott guest reservation system data breach settlement
Oct. 9, 2024 (DENVER) – Attorney General Phil Weiser announced today that a bipartisan coalition of 50 attorneys general has reached a settlement with hotel chain Marriott International, Inc. after an investigation into a large, multi-year data breach revealed the company failed to comply with consumer protection and personal information protection laws.
Under the settlement with the attorneys general, Marriott agrees to strengthen its data security practices, provide consumers with better protections, and make a $52 million payment to states. Colorado will receive $822,434 from the settlement.
“The law makes it clear to companies that they have to implement reasonable cybersecurity safeguards,” said Weiser. “By failing to comply with the law, Marriott harmed those whose data was stolen. With this settlement, we are not only holding the company accountable for their failure to protect customers and follow the law, we are also requiring them to do a better job moving forward.”
The yearslong breach of the Starwood guest reservation system, during which time intruders went undetected, stretched from July 2014 until September 2018. In 2016, Marriott acquired Starwood and took over its computer system, but did not diagnose and reveal the breach until years later.
During the breach, criminals stole 131.5 million guest records pertaining to customers in the United States. The affected records included contact information, gender, dates of birth, legacy Starwood guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
Shortly after Marriott announced the breach of the Starwood database, nearly every attorney general in the country launched an investigation. Today’s settlement resolves allegations by Weiser and the other attorneys general that Marriott violated state consumer protection laws and personal information protection laws.
Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices by implementing better training for employees, adopting better data security policies, minimizing the amount of consumer data the company collects and retains, conducting risk assessments according to best practices including assessing potential risks when acquiring new companies and products, and undergoing regular third-party security assessments for the next 20 years.
Additionally, as part of the settlement, Marriott will give consumers a data deletion option and offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.
The settlement money Marriott will pay to the state may be used for any restitution where possible, consumer education or consumer protection enforcement, or efforts to advance the public welfare.
# # #