A coalition of 50 attorneys general has settled with Marriott International due to an investigation into a large multi-year data breach of one of its guest reservation databases, South Carolina Attorney General Alan Wilson said Wednesday.
The Federal Trade Commission coordinated with states throughout this investigation and reached a parallel settlement with Marriott. Under the settlement with the attorneys general, Marriott agreed to strengthen its data security practices using a dynamic risk-based approach, provide certain consumer protections, and pay states $52 million.
South Carolina will receive $767,458 from the settlement.
Marriott acquired Starwood in 2016 and took control of the Starwood computer network in 2016. However, from July 2014 until September 2018, intruders in the system went undetected.
This led to the breach of 131.5 million customers’ guest records in the United States. The impacted records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, hotel stay preferences, and a limited number of unencrypted passport numbers and unexpired payment card information.
Shortly after the breach of the Starwood database was announced, a coalition of 50 attorneys general launched a multi-state investigation into the breach. The settlement resolves allegations by the attorneys general that Marriott violated state consumer protection laws, personal information protection laws, and, where applicable, breach notification laws by failing to implement reasonable data security and remediate data security deficiencies, particularly when attempting to use and integrate Starwood into its systems.