Marriott Pays $52M Data Breach Fine; NJ Gets $1.3M

About 131.5 million Americans were impacted by the data breach, including more than 4.3 million New Jerseyans.Photo byMorristown Minute

Following widespread data breaches that exposed millions of consumers' personal information, Marriott agrees to strengthen cybersecurity practices.

NEW JERSEY - New Jersey Attorney General Matthew J. Platkin announced that a coalition of 50 Attorneys General reached a $52 million settlement with Marriott International, Inc. The settlement resolves investigations into two major data breaches that compromised sensitive personal data of millions of consumers. New Jersey will receive $1.3 million as part of the settlement, which aims to address violations of data breach laws, including the New Jersey Consumer Fraud Act.

“This settlement is another example of how New Jersey and other states are working together to hold corporations accountable for their failures to safeguard customer data,” said Attorney General Platkin. “Together, we are requiring companies to treat consumer data as carefully as they do their other assets.”

“Consumers have the right to know that corporations take data privacy seriously and will protect their private information,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “We are pleased that, as a result of this settlement, Marriott will improve their processes going forward.”

The first breach began in 2014 when hackers installed malware in the guest reservation database of Starwood Hotels, which Marriott later acquired in 2016. The breach went undetected until 2018, during which time hackers accessed sensitive information, including contact details, dates of birth, hotel preferences, and unencrypted passport numbers and payment card data. In total, the breach affected 131.5 million Americans, including more than 4.3 million New Jersey residents.

A second breach occurred between September 2018 and February 2020, when attackers compromised credentials at a Marriott-franchised property, gaining access to more than 5.2 million guest records, including data from 1.8 million U.S. consumers. Marriott announced the discovery of this second breach in March 2020.

As part of the settlement, Marriott has agreed to implement a series of cybersecurity improvements to prevent future breaches. These measures include appointing a Chief Information Security Officer, conducting mandatory risk assessments during acquisitions, and creating a Board of Directors committee to oversee information security. Marriott is also required to improve encryption, patch management, and intrusion detection and will be subject to ongoing audits by independent third parties.

New Jersey Deputy Attorney General Mandy K. Wang, along with her colleagues in the Division of Consumer Affairs, played a key role in the investigation, which aimed to hold Marriott accountable for its failure to protect consumers' personal data. Investigator Aziza Salikhova of the Office of Consumer Protection was instrumental in the investigation.

In addition to financial penalties, Marriott must also provide methods for consumers to request the deletion of personal data and review loyalty rewards accounts for unauthorized activity.

This settlement underscores the critical need for businesses to take proactive steps in safeguarding consumer information and the importance of holding companies accountable when they fail to do so.

For updates, subscribe to our free newsletter!

Support your local news!