Marriott, Starwood Will Pay $52M, Increase Online Security After Data Breaches

Starwood Hotels & Resorts and its parent company, Marriott International, will pay a $52M penalty and upgrade their security programs as part of a pair of settlements over three data breaches in the last decade.

As part of the settlement between the hotel companies and 49 states and the District of Columbia, Marriott and Starwood will also offer customers the ability to remove their data from the companies' database. The Federal Trade Commission announced both settlements in a release. 

The data breaches occurred between 2014 and 2020 and affected more than 344 million customers around the world, according to the FTC. The agency's complaint against the two hotel companies said that through these breaches, “malicious actors” were able to gain passport information, credit card numbers, dates of birth and additional personal information about those hundreds of millions of hotel customers. 

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” FTC Bureau of Consumer Protection Director Samuel Levine said in a statement. 

“The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.” 

The terms of the settlement with the FTC require Marriott and Starwood to put in place a “comprehensive information security program” and certify their compliance every year for the next two decades, and the security program has to be assessed by an independent third party every two years, according to the FTC.

Marriott owns and franchises roughly 7,000 hotel properties across the world. It acquired Starwood in 2016.