FTC pushes Marriott to improve cybersecurity after data breaches

The FTC requires Marriott to enhance cybersecurity following multiple data breaches.

Marriott and Starwood must enhance data security after sensitive information was exposed in breaches.

Marriott International will implement an information security program following a settlement with the US Federal Trade Commission (FTC) over data breaches that impacted more than 344 million customers between 2014 and 2020. The settlement requires Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, to address the vulnerabilities that led to multiple breaches over several years.

The hotel chain also agreed to provide US customers with a way to request deletion of their personal data linked to their email address or loyalty rewards account. In addition, Marriott will review loyalty rewards accounts upon request and restore stolen points. A separate settlement sees Marriott paying $52 million to resolve similar data security claims across 49 states and the District of Columbia.

Marriott has stated that protecting guests’ personal data remains a top priority and that the company continues to invest heavily in improving its cybersecurity measures. However, Marriott did not admit liability for the breaches in either the FTC settlement or the agreements with state Attorneys General.

In 2020, the company faced a class action lawsuit in London brought by millions of former guests seeking compensation after their personal information was compromised during the breaches, considered one of the largest in history.