Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

October 10, 2024

Tong: CT to receive share of $52M settlement with Marriott for major data breach

PHOTO | PIXABAY.COM A gavel.

Dozens of states, including Connecticut, have reached a settlement with Marriott International Inc., following an investigation into a major data breach at one of its guest reservation databases, Attorney General William Tong announced.

The lawsuit was brought by 50 attorneys general and was co-lead by Tong. As part of the settlement, Marriott will pay the states a total of $52 million.

Connecticut will receive about $2 million from the settlement.

The settlement stems from the 2018 cyberattack of Marriott’s guest reservation system, which affected its Starwood properties. 

Marriott acquired Starwood in 2016 and took control of its computer network that same year.  

The breach began two years before the acquisition and went undetected for four years.

By the time Marriott detected the breach in September 2018, 131.5 million customer records had been compromised. The records included personally identifying information, Starwood Preferred Guest status, reservation information, unencrypted passport numbers and payment card information.

Under the settlement, Marriott has agreed to strengthen its data security practices using a “dynamic risk-based approach” and provide certain consumer protections, according to Tong’s office.

“Companies have an obligation to take reasonable measures to protect consumer data security,” Tong said. “Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests. This 50-state settlement, co-led by Connecticut, forces a strong system of risk-based protections to guard against ever-evolving threats to cybersecurity.” 

Also, Marriott will be required to conduct an annual enterprise-level risk assessment and perform risk analyses throughout the year for changes to security controls.  

In the lawsuit, the plaintiffs alleged that Marriott violated state consumer protection laws, personal information protection laws, and breach of notification laws by failing to implement reasonable data security and remediate data security deficiencies.

The Federal Trade Commission has reached a settlement with Marriott in a separate lawsuit. 

Sign up for Enews

0 Comments

Order a PDF