COLUMBUS, Ohio — Ohio Attorney General Dave Yost, along with 49 other state attorneys general, has secured a $52 million settlement with Marriott International Inc. following an extensive investigation into a significant data breach. The breach, which compromised the personal information of approximately 131.5 million hotel guests, stemmed from vulnerabilities in a guest-reservation system Marriott acquired through its 2016 purchase of Starwood Hotels.

The investigation revealed that cyber intruders gained access to the Starwood system as early as July 2014, going undetected until September 2018. By then, sensitive data—ranging from names and addresses to passport numbers and credit card details—had been exposed for millions of guests worldwide.

“Marriott was supposed to be a trusted gatekeeper of millions of people’s personal information, but it failed,” said Yost in a public statement. “We’re holding the company accountable and ensuring they have the tools in place to prevent a repeat performance.”

The joint investigation determined that Marriott violated state consumer protection laws by not implementing adequate security measures. Despite the company’s public assurances about its commitment to data privacy and security, the breach demonstrated critical lapses in its protective infrastructure.

Settlement Terms and Security Enhancements

In addition to the $52 million monetary settlement, Marriott has agreed to a series of significant changes aimed at bolstering its cybersecurity practices. These measures are intended to prevent future breaches and restore consumer confidence in the company’s handling of sensitive information.

Among the requirements Marriott must adhere to:

  1. Data Minimization and Disposal: Marriott will limit the collection and retention of personal information to reduce the risks associated with data exposure.
  2. Enhanced Security for New Acquisitions: For future acquisitions, Marriott is required to assess the security practices of the acquired company and address any vulnerabilities before integrating systems.
  3. Mandatory Employee Training and Multifactor Authentication: Marriott has committed to enhanced cybersecurity training for its employees and the implementation of multifactor authentication for loyalty programs, including its popular Marriott Bonvoy system.
  4. Third-Party Assessments: For the next 20 years, Marriott will be subject to independent, third-party evaluations of its security program every two years. These assessments will ensure ongoing compliance and improvements in its data protection strategies.

The settlement underscores the importance of corporate responsibility in safeguarding consumer data. As data breaches become increasingly common, the agreement represents a broader effort by state attorneys general to hold companies accountable for cybersecurity failures. This settlement follows similar actions taken against other large corporations over data breaches, signaling a growing focus on data protection in an era where personal information is a highly valuable and vulnerable asset.

The breach involving Marriott’s acquisition of Starwood Hotels highlights the complexities that can arise during corporate mergers and acquisitions, particularly when companies fail to thoroughly vet the security measures of the entities they acquire. Going forward, the new requirements will ensure Marriott prioritizes data security as an essential part of its business operations.

The $52 million settlement will be distributed among the participating states, providing some measure of restitution for the millions of consumers whose personal information was put at risk.