Attorney General Ellison reaches data-breach settlement with Marriott

4-year breach of Starwood guest reservation database exposed 131.5 million guest records, including passport numbers and payment card information; Marriot to pay $52M nationally, $800K to Minnesota

October 9, 2024 (SAINT PAUL) - Attorney General Keith Ellison announced today that he and a coalition of 50 attorneys general have reached a settlement with Marriott International, Inc. as the result of an investigation into a large, multi-year data breach of one of its guest reservation databases. The Federal Trade Commission, which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott. Under the settlement with the attorneys general, Marriott has agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and make a $52 million payment to states. Minnesota will receive $814,847.00 from the settlement.

“Data breaches can put Minnesotans at greater risk of identity theft, targeted scams, and many other kinds of financial harm,” said Attorney General Ellison. “It is unacceptable that this breach went undetected for more than four years. Minnesotans expect companies like Marriott to protect their data and have appropriate safeguards in place to detect and mitigate the harm of a security breach. Today’s settlement will ensure Marriott strengthens their cybersecurity infrastructure, and the penalty Marriott is paying shows others that neglecting data security has consequences.”

Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records of customers in the United States. The stolen records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.

Shortly after the breach of the Starwood database was announced, a coalition of 50 state attorneys general launched a multi-state investigation into the breach. Today’s settlement resolves the coalition’s allegations that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.

Under the terms of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices. Some of the specific measures include:

These settlement terms are grounded in a well-developed risk-based approach in which Marriott not only needs to conduct an annual enterprise level risk assessment, but must also perform risk analyses throughout the year for changes to security controls. Those ongoing risk assessments must address the criteria of “harm to others” – which would include potential harm to consumers.

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Minnesota consumers will enjoy this right and others when the Minnesota Consumer Data Privacy Act goes into effect July 31, 2025. Marriott must also offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity.

Marriott further agrees that if it acquires another entity, it must assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.

Data breaches are on the rise. Minnesota consumers may wish to freeze their credit to protect against identity theft. A credit freeze prevents creditors—such as banks or lenders—from accessing individual’s credit reports. This will stop identity thieves from taking out new loans or credit cards in consumer’s names because creditors will not approve their loans or credit requests if they cannot first access their credit reports. By law, a credit bureau must allow you to place, temporarily lift, or remove a credit freeze for free.

When consumers freeze their credit with each bureau, the bureaus will send them a personal identification number. The consumers can then use that PIN to unfreeze their credit if they want to apply for a loan or credit card. Consumers can also use the PIN to freeze their credit again after they have applied for loans or a new credit card.

Individuals will have to freeze their credit with each bureau: Experian, Equifax and TransUnion: