by Katherine McCarron and Kamay Lafalaise
Marriott International, Inc. has long highlighted core values of putting people first, pursuing excellence, acting with integrity, and serving the world. The FTC and Attorneys General from 49 states and D.C. are jointly announcing an action that suggests the company may want to add a fifth value to that list: protecting customer data and privacy.
According to a proposed complaint, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide, LLC had data security failures that led to at least three breaches between 2014 and 2020. First, the FTC says between 2014 and 2018 bad actors were able to take advantage of weak data security to steal 339 million consumer records from Marriott’s subsidiary, Starwood, in two separate breaches. That included millions of passport, payment card, and loyalty numbers. Then, in 2020, according to the complaint, Marriott told its customers bad actors had breached Marriott’s own network through a franchised hotel. This time the intruders stole 5.2 million guest records, which included significant personal information and loyalty account information. The stolen information was detailed enough, the complaint explains, that bad actors could use it to create highly successful, targeted phishing campaigns to commit fraud.