Skip Navigation
File a Consumer Complaint
Report a Robocall/Text
  • Robocall Hotline:(844)-8-NO-ROBO
  • All Other Complaints:(877)-5-NO-SCAM
  • Outside NC:919-716-6000
  • En Español:919-716-0058

Attorney General Josh Stein Reaches $52 Million Multistate Data Breach Settlement with Marriott

For Immediate Release:
Wednesday, October 9, 2024

Contact:
Nazneen Ahmed (919) 716-0060

(RALEIGH) Attorney General Josh Stein and a bipartisan group of 50 attorneys general reached a settlement with Marriott International, Inc. after an investigation into a large multi-year data breach of one of its guest reservation databases. Marriott has agreed to strengthen its data security practices, provide certain consumer protections, and make a $52 million payment to states. North Carolina will receive $2,059,176 from the settlement.

“It feels as though every other week we are hearing about another massive data breach,” said Attorney General Josh Stein. “Companies shouldn’t store any more consumer data than they need, and they need to take extra steps to protect that data. If they fail to reasonably protect people’s information, my office will hold them accountable.”

Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected. This led to the breach of 131.5 million guest records of customers in the United States. The compromised information included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as some unencrypted passport numbers and unexpired payment card information.

The North Carolina attorney general’s office co-led the investigation into Marriott. As part of the settlement, Marriott has agreed to strengthen and continually improve its cybersecurity practices, including:

  1. Implementing a comprehensive information security program and enhanced employee training on data handling and security.
  2. Minimizing the amount of data collected and requiring data disposal so less consumer data is collected and retained.
  3. Adding additional security requirements for consumer data.
  4. Increasing vendor and franchisee oversight, with a special emphasis on risk assessments for critical IT vendors and clearly-outlined contracts with cloud providers.
  5. Performing ongoing risk assessments to analyze potential harm to consumers.
  6. Assessing information security when acquiring any future entities and developing plans to address any identified security gaps.
  7. Conducting an independent third-party assessment of Marriott’s information security program every two years for the next 20 years.

As part of the settlement, Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy, as well as reviews of those accounts if there is suspicious activity. The Federal Trade Commission, which has been coordinating closely with the states throughout this investigation, has reached a parallel settlement with Marriott.

Follow our tips to protect your information from identity theft in case of a data breach:

  1. Be wary if you receive bills for services or products that you did not request. Hang on to unusual mail and digital notices from unknown lenders or businesses. Take note when local agencies and news services bring attention to new data breaches in your area.
  2. Don’t use the same password for multiple accounts or reuse old passwords. Change your passwords frequently and use two-factor authentication when possible.
  3. Update your cybersecurity software. The more up to date your software is, the better it can protect you and your personal information against data breaches.
  4. Check your financial accounts and credit statements often. If you see any suspicious activity in your accounts, report it immediately. In addition, the IRS will set up extra protections for your tax filings if you suspect any tax-related identity theft issues.
  5. Freeze your credit. Freezing your credit prevents identity thieves from taking out loans or opening credit cards in your name if your information is compromised in a data breach. You can freeze your credit with all three credit bureaus Equifax, Experian, and TransUnion. Learn more here.
  6. Notify law enforcement. Oftentimes, law enforcement will not issue you a police report for your stolen private information until an identity thief actually uses your data. If you suspect that your information is being used by an identity thief, contact local law enforcement immediately.
  7. Don’t open emails, click links, or download attachments from unverified senders.
  8. Update software on your phone and computer regularly. Don’t forget updates on your smart watches, tablets, or any other electronic devices.

Attorney General Stein is joined in reaching this settlement by the Attorneys General of Connecticut, Maryland, Oregon, the District of Columbia, Illinois, Louisiana, Massachusetts, Texas, Alabama, Arizona, Arkansas, Florida, Nebraska, New Jersey, New York, Ohio, Pennsylvania, Vermont, Alaska, Colorado, Delaware, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Mexico, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

# # #