Attorney General Michelle Henry has joined a group of 50 Attorneys General in a settlement with Marriott International, Inc., over a data breach affecting more than 100 million travelers. The breach occurred during Marriott's acquisition of Starwood Hotels & Resorts in 2016 and involved compromised personal information, including birth dates, passport numbers, and payment card details for approximately 131.5 million guests.
Marriott will pay $52 million to the states as part of the settlement, with Pennsylvania receiving $1,685,515. Attorney General Henry stated that "this massive breach of data could have been catastrophic for numerous consumers — some who had their passport and payment card information exposed due to flimsy safeguards in place at the time." She emphasized that the settlement includes significant financial compensation and assurances to minimize future risks.
The Federal Trade Commission has coordinated closely with the states throughout the investigation and reached a parallel agreement with Marriott. The investigation found that intruders accessed the Starwood database undetected from July 2014 to September 2018. Following this discovery, a coalition of Attorneys General initiated a multi-state investigation.
The settlement addresses allegations that Marriott violated state consumer protection laws by failing to implement adequate data security measures when integrating Starwood into its systems. As part of the agreement, which requires court approval, Marriott has committed to enhancing its cybersecurity practices. This includes an independent third-party assessment of its information security program every two years for twenty years.