Attorney General Todd Rokita has announced a $52 million settlement with Marriott International Inc. This agreement comes after a multi-year investigation by a coalition of 50 attorneys general into a significant data breach that affected the hotel chain's guest reservation database.
As part of the settlement, Marriott will enhance its data security practices using a risk-based approach and provide specific consumer protections. The company will also make a payment to the states involved in the investigation, with Indiana receiving over $900,000.
"Protecting Hoosiers’ personal data, whether they are checking into a hotel or just checking out potential travel plans, is an important priority of our office," said Attorney General Rokita. "That’s why we hold corporations accountable if they don't handle consumers’ information responsibly. This settlement shows once again our resolve to make sure corporations are vigilant in following security protocols."
The Federal Trade Commission has also reached a parallel settlement with Marriott. The breach occurred between July 2014 and September 2018 when intruders accessed the Starwood computer network undetected, compromising 131.5 million guest records in the United States. The exposed information included contact details, gender, dates of birth, reservation information, and some unencrypted passport numbers and payment card details.
Following the breach announcement, the attorneys general initiated an investigation into allegations that Marriott violated state consumer protection laws by failing to implement adequate data security measures when integrating Starwood systems.
Under the settlement terms, Marriott will improve its cybersecurity practices and offer consumers additional protections such as data deletion options and multi-factor authentication for loyalty rewards accounts like Marriott Bonvoy.
A headshot of Attorney General Rokita is available online.