Attorney General Henry joins $52 Million multistate settlement with Marriott for Data Breach that impacted millions of Starwood Guests

HARRISBURG, October 9, 2024— Attorney General Michelle Henry has joined a coalition of 50 Attorneys General in a settlement with Marriott International, Inc., that will require the hotel and resort giant to pay millions for a widespread data breach that impacted more than 100 million travelers.
The data breach happened as Marriott was acquiring Starwood Hotels & Resorts (in 2016) and resulted in compromised information — including dates of birth, passport numbers, and payment card information — for about 131.5 million guests.
In all, Marriott has agreed to pay $52 million to the states. Pennsylvania will receive $1,685,515 from the settlement.
“This massive breach of data could have been catastrophic for numerous consumers — some who had their passport and payment card information exposed due to flimsy safeguards in place at the time,” Attorney General Henry said. “This settlement involves significant financial payment and also assurance that future risk will be minimized.”
The Federal Trade Commission, which has been coordinating closely with the states throughout the investigation, has reached a parallel settlement with Marriott.
An investigation revealed intruders in the Starwood database went undetected from July 2014 to September 2018. Shortly after the breach of the Starwood database was announced, a coalition of 50 Attorneys General launched a multi-state investigation. The settlement resolves allegations by the Attorneys General that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.
Under the terms of the settlement, which requires court approval, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:
Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors” and clearly outlined contracts with cloud providers.
In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.