Oregon awarded $2M settlement after ‘massive’ Marriott data breach

PORTLAND, Ore. ( KOIN ) – Oregon will receive $2.1 million as part of a national data breach settlement with Marriott, Oregon Attorney General Ellen Rosenblum announced.

The coalition of 50 states, led by Oregon and eight other states, reached the settlement with Marrott International, Inc. after a “massive” four-year long data breach of the company’s Starwood system database, the Attorney General’s office said.

Under the settlement, Marriott agreed to strengthen its data security practices, provide consumer protections, and pay $52 million to the states.

“Marriott failed to live up to basic data security protocols,” Rosenblum said. “After acquiring Starwood in 2016, had Marriott followed their own information security policies, at least two years of continued malware intrusion into the Starwood data systems could have been avoided. And far fewer than the 131,500,000 guest records that were exposed would have been impacted. This settlement, years in the making, forces Marriott to take responsibility for its data-protection failures and strengthen its cybersecurity measures going forward.”

Rosenblum said Oregon’s $2.1 million will support the Oregon Department of Justice’s investigative, consumer protection, and consumer education efforts.

Marriott acquired Starwood in 2016 and took control of the Starwood computer network but from July 2014 to September 2018, hackers in the system went undetected, the Attorney General’s office said.

This led to a breach of 131.5 million guest records in the United States – including about 1.6 million guest records in Oregon; however the attorney general’s office noted that number doesn’t necessarily reflect individual consumers because there could be more than one record associated with a customer.

The records included guest’s contact information, gender, dates of birth, Starwood Preferred Guest Information, reservation information, hotel stay preferences, and a limited number of unencrypted passport numbers and card information.

Under the settlement, Marriott must implement a comprehensive information security program, and new data requirements leading to less consumer data being collected over time.

Marriott is also required to have an independent third-party assessment of its information security program every two years for the next 20 years.

For the latest news, weather, sports, and streaming video, head to KOIN.com.