The Federal Trade Commission (FTC) will require Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program to settle charges that the companies’ failure to implement reasonable data security led to three large data breaches from 2014 to 2020 impacting more than 344 million customers worldwide.

In a proposed settlement order with the FTC announced today, Marriott and Starwood also agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number. In addition, the proposed settlement requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries. After Marriott acquired Starwood in 2016, it was responsible for the data security practices of both brands.

In a proposed complaint, the FTC says that Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Specifically, the proposed complaint alleges that Marriott and Starwood failed to: implement appropriate password controls, access controls, firewall controls, or network segmentation; patch outdated software and systems; adequately log and monitor network environments; and deploy adequate multifactor authentication.

The FTC alleged that security failures by Marriott and Starwood resulted in at least three separate data breaches wherein malicious actors obtained the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information from hundreds of millions of consumers, according to the proposed complaint.

The first breach began in June 2014 involving payment card information of more than 40,000 Starwood customers, according to the proposed complaint. The breach went undetected for 14 months until Starwood notified customers in November 2015, just four days after Marriott announced it was acquiring Starwood.

The second breach began around July 2014 and went undetected until September 2018. During that time, malicious actors accessed 339 million Starwood guest account records worldwide, including 5.25 million unencrypted passport numbers.

The third breach, which went undetected from September 2018 until February 2020, impacted Marriott’s own network. Malicious actors accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. The compromised records contained significant amounts of personal information, including names, mailing addresses, email addresses, phone numbers, month and day of birth and loyalty account information.

Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information. Other provisions of the proposed order include:

• Data minimization: The companies must implement a policy to retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and specific business need for retaining it.
• Comprehensive information security program: Marriott and Starwood are required to establish, implement and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.
• Loyalty rewards program account review: The companies must provide a method for consumers to request review of unauthorized activity in their Marriott Bonvoy loyalty rewards accounts and Marriott must restore any loyalty points stolen by malicious actors.
• Data deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.