The Federal Trade Commission has announced that Marriott has agreed to pay a $52 million settlement to resolve the decade-long lawsuit against them over the multiple data breaches. The affected customers of Marriott can check the full settlement details here.
Marriott Data Breach Settlement
On 09 Oct 2024, the FTC, the District of Columbia, and a group of Attorney General of 49 States announced the settlement under the Marriott Data breach lawsuit. According to the FTC investigations, Marriott data breaches took place between 2014 and 2020 and affected 131.5 million people in the US and 339 million customers worldwide.
In 2018, Marriott announced the data breach and claimed hackers had acquired 383 million guests’ information, 5.25 million guests’ passport information, and 8.6 million guests’ credit card information. The Marriott data breach led to the third party obtaining the personal information of millions of customers, such as passport information, loyalty numbers, payment card numbers, DOB, and email addresses.
The FTC claims that Marriott and its Subsidiary Starwood Hotels & resorts Worldwide have failed to protect the customer’s information. The commission alleges that the hotel failed to secure its system with the appropriate password control and other practices to protect the data. Marriott has agreed to pay a $52 million settlement to the states, and FTC to resolve the case and improve their data security system.
- Lansing Community College Settlement
State-wise Distribution of Marriott Data Breach Settlement
According to the FTC and 49 states’ settlement announcement, the settlement fund of $52 million will be distributed among the 49 states except California and the District of Columbia as a multi-state settlement.
The settlement amount for each US state has not been declared yet, the states involved in the case will announce the allocation based on various factors, such as population size, Marriott customer density in the State, and many others. The final distribution for all the US states involved in the settlement will be out soon.
The amount of settlement for some States is been declared, here is the Marriott data breach settlement for each US state involved in the Marriott Data Breach Settlement:
- Michigan: $1 million
- Iowa: $594, 105
- Arkansas: $800,000
- Hawaii: $4,38,000
- West Virginia: $472,693
Will the customers receive the Marriott Data Breach Settlement?
According to the settlement information, no announcement of the customer receiving the compensation from Marriott through the data breach settlement. Marriott has not accepted any wrongdoings but promised to enhance their data system for the protection of customers’ information.
As for the settlement, the focus is now on keeping Marriott accountable for the 2018 data breach and failure to keep the customer data protected from malicious actors. The lawsuit alleges the Marriott data breaches resumed in 2020 when the defendant announced the breach in 2018, where the data of 5.2 million guests were accessed.
The settlement announcement has not indicated any compensation scheme for the individual customers. However, it should be noted the settlement is still going on, in the future, there can be a possibility of affected customers receiving the compensation.
What’s for customers in the Marriott Data Breach Settlement?
According to the FTC, Marriott customers can expect the following things from the settlement:
- The customers can ask Marriott to review their Bonvoy account for any unauthorized activities, and if on investigation, it appears that their loyalty points were stolen, Marriott will restore their stolen points.
- Customers can now enable multi-factor authentication on their Marriott Bonvoy account and add an extra layer of security to their account to safeguard their information.
- The customers can request Marriott to remove all their information from their official website or mobile app.
- Customers can now know why Marriott is keeping their information and collecting their personal information under Marriott’s Privacy Policy.
What Marriott has promised to do to improve their Data Security System?
Under the FTC investigation, it was found the data security system of Marriott was outdated, so, Marriott plans to improve the system and promised the following measures:
- Marriott said they will incorporate the third-party audit for their IT security program every two years for 20 years to ensure that they keep the security system up to the mark.
- They have planned to set up a comprehensive IT security system that involves encryption, multi-factor authentication, and other data protection methods to make the system more rigid for data breaches.
- Marriott also promised that they would only collect the information of the customers when the business needed it and the customers can inquire about the information collected by them.
- Marriott also informed it will delete the information of the customers from the system when it is no longer required.
- Marriott will not use the customer’s information, which they ask to delete for marketing purposes.
- Marriott will work on risk assessments of the data security system and outline a contract with cloud providers to oversee the risk management of the data security system.
- Marriott also says if it acquires any other entity in the future, it will check the acquired entity’s security system and develop plans to analyze the gaps in the system and remove the issues to ensure the acquired entity’s information security program is up to the mark.
The Marriott data breach settlement with FTC and 49 states is the settlement to hold Marriott accountable for the data breach leading to the identity theft and personal information leak of the customers. Though Marriott has not admitted the violation but promises to improve their information security system and ensure the customer’s data privacy.