(COLUMBUS, Ohio) — Ohio Attorney General Dave Yost and 49 other attorneys general have reached a $52 million settlement with Marriott International Inc. stemming from an investigation into a multiyear data breach involving an acquired guest-reservation system.
The breach exposed personal information — contact details, reservation data and, in some cases, unencrypted passport numbers and payment card information — of 131.5 million hotel guests. The compromised data originated with Marriott's acquisition of Starwood Hotels in 2016, but intruders had made their way into the system as early as July 2014 and went undetected until September 2018.
“Marriott was supposed to be a trusted gatekeeper of millions of people’s personal information, but it failed,” Yost said. “We’re holding the company accountable and ensuring they tools in place to prevent a repeat performance.”
Under the agreement, Marriott will strengthen its data-security practices, provide certain consumer protections, and pay the $52 million to the states, including more than $1.5 million to Ohio.
The investigation found that Marriott violated state consumer protection laws by failing to implement reasonable security measures, despite their representations about their security practices. In addition to the monetary settlement, Marriott has agreed to implement stronger security measures, including enhanced employee training and multifactor authentication for loyalty accounts such as Marriott Bonvoy.
Other settlement requirements:
- Data minimization and disposal. Marriott will limit the collection and retention of personal information to reduce risk.
- Enhanced security for new acquisitions. If Marriott acquires another company, it must assess the security practices of the new entity and address any weaknesses.
- Third-party assessments for 20 years. Marriott will undergo independent third-party evaluations of its security program every two years for the next two decades.
Beyond the financial penalty, Yost said, the settlement sends a message to other companies about the importance of prioritizing consumer-data protection.
“Companies need to be proactive and diligent when it comes to safeguarding the public’s personal information.”
MEDIA CONTACT:
Hannah Hundley: 614-906-9113
-30-