A multinational hotel chain brought to the negotiating table by the Oregon Department of Justice has agreed to pay $52 million for failing to detect a yearslong intrusion into its customer data software.
Marriott Hotels will pay a $52 million penalty to Oregon and 49 other states to settle allegations that it failed to detect a gaping vulnerability in its Starwood database from 2016 to 2018, which allowed hackers to access 131.5 million customers files, including 1.6 million booking records in Oregon.
Oregon’s attorneys led the negotiating coalition alongside seven other states, and Oregon’s share of the settlement is $2.1 million. The funds will go to the state Department of Justice.
“Marriott failed to live up to basic data security protocols,” Attorney General Ellen Rosenblum said in a statement Wednesday. “This settlement, years in the making, forces Marriott to take responsibility for its data-protection failures and strengthen its cybersecurity measures going forward.”
A separate announcement from the Federal Trade Commission said three distinct data breaches occurred in the Starwood Hotel data system between 2014 and 2020, impacting 344 million customers, though Marriott only acquired the company in 2016. The first hack acquired about 40,000 credit card numbers from Starwood customers, while subsequent hacks exposed passport numbers and other personal information, according to the FTC.
As part of the settlements, Marriott will undergo more rigorous data retention requirements, submit to compliance checks by the FTC biannually for the next two decades, and provide customers with a way to delete their personal data from the hotelier’s files.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, the FTC’s consumer protection bureau director.
Marriott manages or franchises some 7,000 hotels across the world, including several in downtown Portland. The company did not admit fault as part of the settlement, and said it will continue to invest in cybersecurity improvements.
The company stopped using the Starwood reservations system at the end of 2018, according to a spokesperson.
“Protecting guests’ personal data remains a top priority for Marriott,” the spokesperson said.
Was your data leaked by the Marriott Hotels hack? Here’s what to do:
Change your password: It’s always a good idea to change your passwords regularly, and users should never reuse passwords on multiple different accounts. If you’re a regular Marriott customer, now’s a good time to switch up your login credentials.
Check your email: Marriott should have notified you years ago if your data was affected, but sometimes messages get lost in a cluttered inbox. Search for an email from “marriott@email-marriott.com” and look for a notice from the company.
Monitor your accounts: The credit card numbers leaked in the first Starwood Hotels data breach should have expired by now, but it’s always wise to check your monthly statements for suspicious activity and purchases you didn’t make.
—Zane Sparling covers breaking news and courts for The Oregonian/OregonLive. Reach him at 503-319-7083, zsparling@oregonian.com or @pdxzane.
Our journalism needs your support. Please become a subscriber today at OregonLive.com/subscribe.
If you purchase a product or register for an account through a link on our site, we may receive compensation. By using this site, you consent to our User Agreement and agree that your clicks, interactions, and personal information may be collected, recorded, and/or stored by us and social media and other third-party partners in accordance with our Privacy Policy.