Oregon Attorney General Ellen Rosenblum announced a settlement involving Marriott International, Inc. regarding a significant data breach affecting its Starwood system databases. The breach, which spanned four years, led to the exposure of 131.5 million guest records in the United States. The Federal Trade Commission coordinated with 50 states on this settlement, resulting in Marriott agreeing to pay $52 million and enhance its data security practices.
As one of the leading states in this case, Oregon will receive approximately $2.1 million from the settlement. These funds will support the Oregon Department of Justice's investigative and consumer protection efforts.
“Marriott failed to live up to basic data security protocols,” stated Attorney General Rosenblum. She highlighted that had Marriott adhered to its own information security policies after acquiring Starwood in 2016, much of the intrusion could have been prevented.
The breach occurred between July 2014 and September 2018 and involved various types of personal information such as contact details, dates of birth, and some unencrypted passport numbers and payment card information.
Under the settlement terms, Marriott is required to strengthen its cybersecurity measures by implementing a comprehensive Information Security Program and conducting regular risk assessments. These measures include incorporating zero-trust principles, enhanced employee training on data handling and security, encryption requirements, vendor oversight, and independent third-party assessments every two years for 20 years.
Consumers will benefit from specific protections such as a data deletion option and multi-factor authentication for loyalty rewards accounts like Marriott Bonvoy.
Connecticut, Maryland, Oregon along with several other states co-led the investigation into this breach. AG Rosenblum acknowledged the efforts of Oregon DOJ lawyers led by Kristen Hilton in achieving this resolution.