Iowa to receive over $500K in nationwide settlement after Marriott data breach

Attorney General Brenna Bird announced Iowa has joined every other state and the District of Columbia in a $52 million settlement with Marriott International for a data breach that exposed guest information.

Bird joined a coalition of 50 other attorneys general in a years-long investigation into the 2018 data breach, which exposed the personal information of 131.5 million customers in the U.S. and 339 million customers globally, including contact information, dates of birth, payment information and passport numbers, according to the settlement. A separate settlement was reached with the Federal Trade Commission, as well.

Iowa will receive $594,105 from the settlement, according to a news release from the Attorney General's Office .

“No Iowans should have to fear that when they take a family vacation, their data will be exploited by hackers,” Bird said in the release . “This settlement holds Marriott accountable for exposing more than 131 million guest records, containing Americans’ data, and requires safeguards to ensure all future guests are protected.”

The breach happened after Marriott acquired Starwood Hotels and Resorts Worldwide, LLC in 2016 and was not detected until 2018.

However, according to the settlement, forensic examiners determined Starwood's network was compromised in 2014 before Marriott acquired the company. The breach continued until 2018 under Marriott's ownership.

Key loggers, memory-scraping malware and Remote Access Trojans were used in over 480 systems across 58 Starwood locations, according to the settlement .

The breach resumed in 2020, when 5.2 million global guest records were accessed, including 1.8 million in the U.S. Credentials of employees were also obtained.

Marriott was found to have failed to provide appropriate security measures after the acquisition of Starwood, including failing to fix outdated software systems, not implementing firewall controls, not using multi-factor verification and other password controls and not eradicating threats once detected in 2018.

As part of the settlement, Marriott has agreed to strengthen its cybersecurity practices including the implementation of an information security program, reduction of collected and contained guest data, more network safeguards and more IT oversight. Marriott has also agreed to assess security programs in future acquisitions and have third-party reviews of security programs every two years for the next 20 years.

According to a release from Marriott on Oct. 9 , Marriott "makes no admission of liability with respect to the underlying allegations."

Kyle Werner is a reporter for the Register. Reach him at kwerner@dmreg.com.

This article originally appeared on Des Moines Register: Iowa to receive over $500K in nationwide settlement after Marriott data breach