New York Attorney General Letitia James has announced a $52 million settlement with Marriott International, Inc. The settlement addresses a data breach that affected 131.5 million customers across the United States, including millions in New York. The breach involved intruders accessing the system of Starwood Hotels and Resorts Worldwide, a subsidiary of Marriott, undetected for four years.
The multistate investigation led by Attorney General James revealed that the intrusion occurred from July 2014 until September 2018. It exposed personal information such as contact details, gender, dates of birth, reservation information, and some unencrypted passport numbers and payment card information.
"When people book a hotel stay for travel or work, they shouldn’t have to worry that their personal data and credit card information will be stolen," stated Attorney General James. "Marriott let cybercriminals live in its database for years and millions of people had their information stolen as a result."
The settlement mandates Marriott to overhaul its cybersecurity practices significantly. Measures include independent third-party assessments every two years for twenty years, data minimization requirements, comprehensive security programs with regular reporting to top executives, increased vendor oversight, and prompt assessment of acquired entities' security programs.
Additionally, Marriott will allow customers to delete stored data if desired and offer multi-factor authentication for loyalty accounts like Marriott Bonvoy.
Attorney General James was joined by attorneys general from 50 states in signing the settlement agreement. This action follows other significant measures taken by Attorney General James to hold companies accountable for inadequate cybersecurity practices.
For New York's part in this matter, it was handled by Deputy Bureau Chief Clark Russell under the supervision of Bureau Chief Kim Berger within the Division for Economic Justice.