Attorney General Platkin, Multistate Coalition Announce $52 Million Settlement for Marriott, Starwood Data Breaches
View Complaint | View Consent Order
TRENTON – Attorney General Matthew J. Platkin and the Division of Consumer Affairs today announced that a coalition of 50 Attorneys General reached a $52 million settlement with Marriott International, Inc. to resolve investigations concerning two information security failures, including one widespread data breach.
New Jersey will receive just over $1.3 million from the settlement. At the same time, the Federal Trade Commission, which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott.
“This settlement is another example of how New Jersey and other states are working together to hold corporations accountable for their failures to safeguard customer data,” said Attorney General Platkin. “Together, we are requiring companies to treat consumer data as carefully as they do their other assets.”
“Consumers have the right to know that corporations take data privacy seriously and will protect their private information,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “We are pleased that, as a result of this settlement, Marriott will improve their processes going forward.”
The States allege that Marriott violated data breach laws and consumer protection laws—including the New Jersey Consumer Fraud Act—by misrepresenting the ways in which it protected consumers’ personal information and failed to use adequate cybersecurity safeguards to protect that information.
The first breach began in 2014, when an unauthorized third-party installed malware and gained access to the guest reservation database of Starwood Hotels and Resorts Worldwide. In 2016, Marriott purchased Starwood and took control of its computer network.
Unbeknownst to Marriott, between 2014 and 2018, the intruders went undetected in the Starwood network and continued to perform reconnaissance activities and gain access to highly privileged Starwood administrative and user credentials. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
After becoming aware of the breach in September 2018, Marriott disclosed the 2014 data breach on November 30, 2018. A forensic examination of Starwood’s systems revealed several failures. These failures included inadequate firewall controls, unencrypted payment card information stored outside of the secure cardholder data environment, lack of multifactor authentication, and inadequate monitoring and logging practices.
About 131.5 million Americans were impacted by the data breach, including more than 4.3 million New Jerseyans.
In a second incident, intruders were allegedly able to compromise the credentials of employees at a Marriott-franchised property to gain access to Marriott’s own network for a period of several months. These attackers began accessing and exporting consumers’ personal information without detection from September 2018 to December 2018. The breach resumed in January 2020 and continued until it was discovered the next month.
Over the course of the two time periods, the intruders gained access to over 5.2 million guest records, including 1.8 million records related to U.S. consumers. The records contained significant amounts of personal information.
Marriott announced the discovery of this second incident in March 2020.
The consent judgment and complaint were filed in the Superior Court, Chancery Division in Mercer County. In addition to the financial penalties, the settlement includes significant steps Marriott must take to prevent a future breach. Marriott agreed to various measures aimed at strengthening its cybersecurity practices going forward, including but not limited to:
- Employing a Chief Information Security Officer and creating a committee on its Board of Directors to provide oversight on the company’s information security program;
- Implementing specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network;
- Reporting security breaches involving personal information of Marriott customers;
- Providing a method for consumers to request that their data be deleted from Marriott;
- Providing a way for consumers to request a review of their loyalty rewards information to check for unauthorized account activity;
- Training employees on protecting consumers’ personal information in company databases;
- Conducting mandatory risk assessments before, during, and after new acquisitions;
- Implementing an integration plan for information security assets acquired by the company that ensures the assets comply with Marriott’s information security program;
- Creating mandatory data retention policies;
- Increasing oversight of vendors and franchisees; and
- Engaging an independent third party every two years to assess Marriott’s information security practices as well as its compliance with this settlement.
In addition to New Jersey, other jurisdictions joining the settlement are Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming and the District of Columbia.
New Jersey was represented by Deputy Attorney General Mandy K. Wang under the supervision of Section Chief Kashif T. Chand and Assistant Section Chief Thomas Huynh of the Data Privacy & Cybersecurity Section, within the Affirmative Civil Enforcement Practice Group of the Division of Law. The investigation into this matter was conducted by Investigator Aziza Salikhova of the Office of Consumer Protection, within the Division of Consumer Affairs.
To learn more about cyber safety in New Jersey, visit the Cyber Safe NJ website of the Division of Consumer Affairs.
###