Attorney General James Announces 52 Million Multistate Settlement with Marriott over Data Breach

Attorney General James Announces $52 Million Multistate Settlement with Marriott over Data Breach
Marriott Data Breach Affected Millions of New York Customers, Settlement Requires Hotel to Improve Data Security and Pay Penalties
October 9, 2024
NEW YORK – New York Attorney General Letitia James today announced a $52 million multistate settlement with Marriott International, Inc. (Marriott) over a multi-year data breach of one of its guest reservation databases. A multistate investigation found that one of Marriott’s subsidiaries, Starwood Hotels and Resorts Worldwide (Starwood), had intruders in its system for four years without getting detected, leading to a data breach that affected 131.5 million customers nationwide, including millions of New Yorkers. Today’s settlement with 50 attorneys general requires Marriott to significantly overhaul and strengthen its data security to protect customers’ private information and pay $52 million in penalties, of which New York will receive $2.29 million.

“When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen,” said Attorney General James. “Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result. Protecting customers’ private information should be a top priority, not a last resort, for all companies. I am proud to stand with my fellow attorneys general to hold Marriott accountable and to protect customers.”

Starwood operates hundreds of hotels nationwide, including hotels in New York. Marriott acquired Starwood in 2016 and took control of its computer network and databases. A multistate investigation discovered that from July 2014 until September 2018 intruders accessed and stayed on Starwood’s databases undetected for years. This intrusion led to the breach of 131.5 million customers’ personal information. The theft impacted people nationwide and exposed personal information, including contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Today’s settlement requires Marriott to significantly strengthen and continually improve its cybersecurity practices. Some of the specific measures include:

An independent third-party assessment of Marriott’s information security program every two years for a period of 20.
Data minimization and disposal requirements, which will lead to less customer data being collected and retained.
Implementation of a comprehensive Information Security Program, including regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
In the future, if Marriott acquires another entity, it must promptly assess the acquired entity’s information security program and develop plans to address deficiencies as part of the integration into Marriott’s network.
As part of the settlement, Marriott will allow customers to delete their data that is stored with the hotel if they wish to do so. Marriott must also offer multi-factor authentication to customers for their loyalty rewards accounts, such as Marriott Bonvoy, and conduct reviews of those accounts to ensure there is no suspicious activity.

Joining Attorney General James in signing today’s settlement are the attorneys general of Alabama, Alaska, Arizona, Arkansas, Connecticut, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New Jersey, North Carolina, North Dakota, Ohio, Oregon, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, Wyoming, Vermont, and the District of Columbia.

Attorney General James has taken major actions to hold companies accountable for having poor cybersecurity and to improve data security practices. In August 2024, Attorney General James and a multistate coalition secured $4.5 million from a biotech company for failing to protect patient data. In July 2024, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and customers protect themselves. In July 2024, Attorney General James issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of customers impacted by the Change Healthcare data breach. In March 2024, Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms, Inc. (Meta) addressing the recent rise of Facebook and Instagram account takeovers by scammers and frauds. In January 2024, Attorney General James reached an agreement with a Hudson Valley health care provider to invest $1.2 million to protect patient data.

For New York, this matter was handled by Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.