Wisconsin is set to receive more than $830,000 from a multi-state settlement with Marriott International, Inc., Attorney General Josh Kaul announced.
The payment coming to the state is part of a $52 million settlement related to a data breach of the Maryland-based company’s guest reservation system, according to Friday’s release from the state Department of Justice. Under the settlement with 50 AGs, the company says it will improve data security and take other actions to protect consumers, along with the financial penalty.
Marriott International is the world’s largest hotel chain with nearly 9,000 hotels across more than 30 different brands, and about 1.5 million rooms. Marriott in 2016 acquired the hotel chain Starwood Hotels & Resorts Worldwide, taking over the Connecticut business’ computer network that same year. But that network had already been breached by “intruders” between 2014 and late 2018, according to the state DOJ, which led to guest records of 131.5 million U.S. customers being exposed.
“Data breaches like this one can result in harm to consumers,” Kaul said in a statement. “Companies that have confidential consumer information must keep it safe.”
The exposed information included contact details, dates of birth, gender, reservation data, hotel stay preferences, along with a “limited number” of unencrypted passport numbers and expired payment information.
The settlement resolves allegations that the company violated state consumer protection laws, personal information protection laws and breach notification laws, the release shows. The company allegedly didn’t employ “reasonable” data security or address holes in its security system when using and integrating Starwood’s systems.
In a statement on the settlement, the company notes it’s making “no admission of liability” related to the allegations underlying the resolution. It says efforts to improve data privacy and information security are already in place or underway, while customers are also being given the chance to have their personal data deleted.
“Protecting guests’ personal data remains a top priority for Marriott,” the statement reads. “These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
Marriott has agreed to implement a wide-ranging security program including expanding related employee training, collect and retain less consumer information, and enact new security requirements for consumer data such as encryption and more monitoring, among other changes.
For any future acquisitions, Marriott will also need to “further assess” any new security programs and plan for how to address gaps during integration. Plus, the company must get a third-party security assessment every two years for a 20-year period.
See more in the DOJ release.
