Marriott, the hotel giant that promised luxury and comfort, has instead delivered a nightmare of data breaches. Over the years, Marriott and its subsidiary, Starwood Hotels, have been a veritable buffet for hackers, leaving millions of customers’ personal information exposed.

The breaches were so egregious that Marriott has agreed to pay a hefty $52 million fine and implement stricter security measures. It’s like a slap on the wrist for a company that’s practically invited hackers to their digital party.

Let’s recap the highlights of Marriott’s security disaster:

• Breach after breach: From 2014 to 2020, Marriott suffered three major data breaches, exposing the personal information of hundreds of millions of customers.
• Slow response: In some cases, these breaches went undetected for years, allowing hackers to feast on customer data.
• Lax security: Marriott’s lax security practices, including outdated software and weak passwords, made it a prime target for cybercriminals.

It’s like Marriott left the front door wide open with a welcome mat inviting hackers in.

The fallout from these breaches has been significant:

• Customer trust eroded: Millions of customers have had their personal information compromised, leading to a loss of trust in Marriott.
• Financial penalties: The $52 million fine is a significant financial burden, but it’s a small price to pay for the damage done.
• Reputation tarnished: Marriott’s reputation has taken a hit, and it may struggle to regain the trust of customers.

So, what can Marriott do to make amends?

• Invest in security: Marriott needs to beef up its security measures, including implementing stronger password requirements, regularly patching software, and monitoring networks for suspicious activity.
• Take responsibility: The company must acknowledge its mistakes and take steps to prevent future breaches.
• Make amends: Marriott should offer additional compensation to affected customers and provide clear information about the steps they’re taking to protect their data.

It’s time for Marriott to wake up and smell the coffee. The days of lax security are over. Customers deserve better, and Marriott needs to step up its game.

Read more: Marriott’s Massive Meltdown: A Tale of Neglect and Fallout

The hotel giant will be held to higher security standards, including implementing a new annually reviewed security program. The first breach began in June 2014 and involved the payment card information of more than 40,000 Starwood customers; it went undetected for 14 months, until November 2015.

Starwood faced its second breach in July 2014. That intrusion went undetected for years — until 2018, when 339 million Starwood guest accounts were revealed to have been accessed by malicious actors, exposing various data, including 5 million unencrypted passport numbers. And finally, Marriott was breached again in 2018, a breach that went undetected until February 2020. In that incident, 5.2 million guest records were accessed, nearly 2 million of them belonging to Americans.

Going forward, Marriott and Starwood will have to certify compliance with the FTC annually for 20 years, and undergo independent third-party assessments every two years. Marriott has agreed to pay $52 million and to strengthen its data security practices in settlements related to three data breaches dating back to 2014.

The settlements announced today are two-fold: A resolution with 49 U.S. States Attorneys General and the District of Columbia requires the hospitality giant to pay $52 million to those entities. Separately, the Federal Trade Commission will require Marriott and its subsidiary Starwood to implement a “robust information security program.” Additionally the company has agreed to provide all customers in the United States with a way to request deletion of personal information associated with their email address or loyalty rewards account number.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.

“The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Connecticut co-led the multi-state case. Its attorney general, William Tong, said, “Companies have an obligation to take reasonable measures to protect consumer data security. Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests. This 50-state settlement, co-led by Connecticut forces a strong system of risk-based protections to guard against ever-evolving threats to cybersecurity. We will continue to work closely with our multistate partners across the country to ensure companies are taking all reasonable precautions to protect our personal information.”

Marriott announced plans to acquire Starwood in 2015 – and shortly after Starwood notified customers it had experienced a 14-month long data breach involving payment card information for more than 40,000 customers.

Once the $12.2 billion merger went through in 2016, Marriott became responsible for the data security practices of both brands. Two years later, in November 2018, Marriott revealed it had identified what is now termed the second breach, which had been begun in 2014 and involved the copying of information from about 340 million Starwood guests worldwide until it was discovered four years later.

According to the United States Federal Trade Commission, forensic examiners determined this breach was due to “malicious actors” compromising Starwood’s external-facing webserver and installing malware on its network. It said the introducers installed “key loggers, memory-scraping malware and remote access trojans” on more than 480 systems across 58 locations within Starwood’s system, including corporate, data center, customer contact center and hotel property locations.

Personal information stolen during this breach included more than 5.25 million unencrypted passport numbers, payment card numbers, email addresses, user names and dates of birth as well as Starwood loyalty numbers, stay information, flight information and more.

Marriott reported the third breach in March 2020, when it said hackers used login credentials of employees at a franchise property to gain access to Marriott’s network.

The intruders began stealing information in September 2018 – the same month the second breach was discovered – and continued until December 2018, then resumed in January 2020 until they were discovered in February 2020.

During that time they accessed more than 5.2 million guest records that the FTC said contained “significant amounts” of personal information. The FTC complaint alleges Marriott failed to do multiple things, including implementing appropriate password control, patching outdated software, monitoring network environments, implementing appropriate firewalls and applying adequate multifactor authentication.

The agreements with the FTC and the attorneys general indicate that Marriott makes no admission of liability with respect to the underlying allegations. Marriott manages and franchises more than 7,000 properties throughout the United States and across more than 130 other countries.

HONOLULU (KHON2) — The Hawai‘i Department of Commerce and Consumer Affairs has announced that a group of 50 state attorneys general has reached a settlement with Marriott International, Inc. This settlement is part of an investigation into a serious data breach affecting one of Marriott’s guest reservation systems.

The Federal Trade Commission (FTC) has also been involved and has reached a similar agreement with Marriott. As part of the settlement with the attorneys general, Marriott will:

• Improve its data security practices.
• Provide certain protections for consumers.
• Pay $52 million to the states involved in the investigation. Hawai‘i will receive $438,045 from this payment.

Marriott bought Starwood in 2016 and took control of its computer network that same year. However, from July 2014 to September 2018, hackers accessed the system without being noticed. This breach affected 131.5 million guest records, mainly from customers in the United States. T

he leaked information included:

• Contact details.
• Gender.
• Birth dates.
• Starwood Preferred Guest information.
• Reservation details.
• Hotel stay preferences.
• Some unencrypted passport numbers.
• Unexpired payment card information.

After the breach was made public, a group of 50 attorneys general started looking into it.

Today’s settlement addresses claims that Marriott broke state consumer protection laws and failed to secure personal information properly. They did not take reasonable steps to protect customer data, especially when integrating Starwood’s systems. “When companies collect and keep consumer data, they must secure it,” said Mana Moriarty, Executive Director of the Office of Consumer Protection. “We will continue to hold businesses responsible for not doing this.”

Under the settlement, Marriott must improve its cybersecurity practices. Here are some specific measures they have to follow:

1. Create a strong Information Security Program: This includes new security rules like using zero-trust principles, regular security updates to top management, and better training for employees on data security.
2. Limit data collection and disposal: Marriott will collect less consumer data and dispose of it properly.
3. Enhance security for consumer data: This involves better measures like:
   • Securing systems to limit hackers’ movement.
   • Keeping track of what data they have.
   • Ensuring critical security updates are applied quickly.
   • Monitoring user access and activity.
4. Increase oversight of vendors: Marriott will pay special attention to “Critical IT Vendors” and have clear contracts with cloud service providers.
5. Assess new acquisitions: If Marriott buys another company, they must quickly evaluate that company’s data security and fix any problems before combining systems.
6. Independent assessments: Every two years for 20 years, an outside group will review Marriott’s security practices.

These terms are part of a thorough risk-based plan, where Marriott must check for risks not just once a year, but regularly. These checks will look at potential harm to consumers.

Additionally, as part of the settlement, Marriott will provide consumers with specific protections, including:

• A way to delete their data, even if the law doesn’t require it.
• Multifactor authentication for loyalty accounts like Marriott Bonvoy, which helps protect against unauthorized access.
• Reviews of loyalty accounts if there are signs of suspicious activity.

Connecticut, Maryland, and Oregon, along with the District of Columbia, led the investigation. They were supported by other states including Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, Vermont and many more.

This settlement is an important step in ensuring that companies protect consumer data and take responsibility when breaches happen.