Attorney General Josh Stein has announced a $52 million settlement involving Marriott over a data breach that affected millions of guests. The breach, which occurred between July 2014 and September 2018, compromised the records of approximately 131.5 million customers in the United States. The leaked information included contact details, dates of birth, reservation data, and some unencrypted passport numbers and payment card information.
Stein stated, “It feels as though every other week we are hearing about another massive data breach. Companies shouldn’t store any more consumer data than they need, and they need to take extra steps to protect that data. If they fail to reasonably protect people’s information, my office will hold them accountable.”
Marriott took control of Starwood's computer network in 2016 after acquiring the company but failed to detect intruders who had been present since 2014. As part of the settlement terms, Marriott is required to enhance its cybersecurity measures significantly. These include offering multi-factor authentication for loyalty accounts like Marriott Bonvoy and providing consumers with an option for data deletion.
The North Carolina attorney general’s office co-led the investigation alongside numerous other states' attorneys general. The Federal Trade Commission also reached a parallel agreement with Marriott.
Attorney General Stein was joined by his counterparts from Connecticut, Maryland, Oregon, the District of Columbia, Illinois, Louisiana, Massachusetts, Texas, Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania Vermont Alaska Colorado Delaware Georgia Hawaii Idaho Indiana Iowa Kansas Kentucky Maine Michigan Minnesota Mississippi Missouri Montana Nevada New Hampshire New Mexico North Dakota Oklahoma Rhode Island South Carolina South Dakota Tennessee Utah Virginia Washington West Virginia Wisconsin and Wyoming in reaching this settlement.