- Cyber Syrup
- Posts
- Marriott Agrees To Pay $52 Million Over Data Breaches
Marriott Agrees To Pay $52 Million Over Data Breaches
Marriott International has agreed to pay $52 million and make security changes to resolve claims related to several significant data breaches
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Marriott Agrees To Pay $52 Million Over Data Breaches
In a recent settlement, Marriott International has agreed to pay $52 million and make security changes to resolve claims related to several significant data breaches that affected over 300 million customers globally. The Federal Trade Commission (FTC) and attorneys general from 49 states and Washington, D.C., conducted thorough investigations into these incidents, revealing crucial lapses in Marriott's data security measures and leading to settlements to improve protection for customers moving forward.
Understanding the Case
Marriott’s data breach saga involves three major security incidents that occurred between 2014 and 2020. The most prominent breach, reported in 2018, affected nearly 383 million customers and exposed highly sensitive information, including passport numbers and credit card data. The affected hotel brands, such as Sheraton, Westin, and St. Regis, were originally part of Starwood Hotels & Resorts, which Marriott acquired in 2016. The investigation found that unauthorized access to data had started as early as 2014, with hackers likely working on behalf of the Chinese Ministry of State Security.
Following these incidents, the FTC claimed that Marriott and Starwood's security practices were inadequate, lacking robust password controls, network monitoring, and other security protocols. This oversight allowed unauthorized parties to exploit the system and access personal data, which included highly sensitive financial and identity information.
Who’s Data Was Compromised
The compromised data affected millions of Marriott’s customers worldwide, with the information varying from basic to highly sensitive. Here’s a breakdown of the compromised data:
Passport Numbers: Unencrypted passport data of 5.25 million customers.
Credit Card Information: Financial data, including credit card numbers, was accessed for approximately 8.6 million guests.
Personal Identifiers: Names, addresses, loyalty account numbers, birthdates, and other personal details.
Email Addresses: Many guests’ email information was exposed, increasing the risk of phishing scams.
These breaches primarily affected customers of former Starwood properties, including Sheraton, Westin, and other popular hotel chains.
What to Do if You Are Affected
If you were a Marriott customer between 2014 and 2020, it’s essential to take proactive steps to safeguard your information. Here’s what you can do:
1. Monitor Your Financial Accounts
Regularly check your bank statements and credit card accounts for any unauthorized transactions. Consider setting up fraud alerts with your bank to be notified of suspicious activity.
2. Review Your Credit Report
Since personal information like social security numbers may be at risk, it’s wise to check your credit report for any unexpected activity. You are entitled to one free report per year from each of the three major credit bureaus (Experian, TransUnion, and Equifax).
3. Change Your Passwords
If you used the same login credentials for other accounts, update your passwords to unique, strong passwords that use a combination of letters, numbers, and symbols. Enable multi-factor authentication where possible.
4. Be Alert to Phishing Attempts
With email information exposed, you may be at higher risk for phishing scams. Be cautious with emails or messages claiming to be from Marriott or financial institutions and avoid clicking on suspicious links or attachments.
5. Request Data Deletion
As part of the FTC settlement, Marriott will provide U.S. customers with the option to request deletion of their data associated with their email or loyalty account number. Contact Marriott’s customer service for more information on initiating this request.
Marriott’s Response and New Security Measures
As part of the settlement, Marriott has committed to bolstering its cybersecurity practices by implementing a more comprehensive information security program, including network segmentation and robust password protection measures. They are also developing procedures to ensure proper data management and protection against similar incidents in the future.
In 2020, Marriott encountered another breach when unauthorized access to guest information was detected through the login credentials of employees at a franchise location. Marriott promptly addressed this breach and, as part of its new agreement, will further invest $15.75 million over two years to enhance cybersecurity.
Conclusion
Marriott’s series of data breaches highlights the risks and consequences of inadequate cybersecurity, especially in organizations handling vast amounts of sensitive customer data. The settlement serves as a reminder of the importance of data security for companies and the need for consumers to stay vigilant regarding their personal information. By taking proactive steps and understanding your rights, you can better protect your data in the event of future incidents. Marriott’s commitment to improving its data protection measures is a positive step, but customers should remain cautious and monitor their accounts diligently to safeguard against identity theft and fraud.