Marriott and Starwood Hotels & Resorts Still Dealing With Data Breach Fallout

In case you think that data breaches are never a major legal issue in commercial real estate, Marriott International and Starwood Hotels & Resorts are still dealing with the aftermath of three major data breaches that took place between 2014 and 2018 and collectively affected more than 344 million customers globally.

According to the Federal Trade Commission and a proposed settlement order, Marriott and its subsidiary, Starwood, failed to “implement reasonable data security,” which led to the data breaches. They allegedly deceived customers by claiming to have “reasonable and appropriate data security.”

Marriott’s acquisition of Starwood made it responsible for the latter’s data security problems. Overall, Marriott manages and franchises 30 brands across more than 7,000 properties across 131 countries and territories. It is the largest hotel chain in the world with more than 1.1 million rooms, about 7% of all hotel rooms worldwide.

Four days after Marriott announced the Starwood acquisition, it notified customers that it had a 14-month-long data breach by a cybercriminal that had broken into Marriott’s network and installed malware at more than 100 Starwood-owned or managed hotels. The data losses included payment card information for more than 40,000 customers. The data included the card number, name, security code, and expiration date.

Starwood’s commissioned forensic examination was damning, finding inadequate firewalls and network segmentation, inadequate access controls, outdated and unsupported software, and a lack of multifactor authentication that led to an initial breach.

Then there was a second breach that Marriott didn’t detect until two years after the acquisition of Starwood. The malware let the cybercriminals gain more access and go through Starwood’s internal network for four years. They then installed multiple types of malware in 480 systems across 58 locations. And then there was a third breach.

The companies have agreed to give all their U.S. customers a way to request deletion of personal information associated with either their email address or loyalty rewards account.

Additionally, customers can request Marriott to review their loyalty accounts and restore stolen loyalty points. Marriott will also pay $52 million in penalties to 49 states and the District of Columbia, as the states worked in parallel with the FTC on the investigation. Technically, the FTC itself cannot impose civil penalties itself in this case.

The FTC offered some lessons to be learned, which could be useful to CRE companies. First, before completing an acquisition, thoroughly examine that company’s security practices. Second, use a multi-layered data security strategy. Only collect and keep the data you actually need. When working with vendors, be sure they emphasize security.