DES MOINES, IOWA (October 9, 2024) — Iowa Attorney General Brenna Bird has announced that a bipartisan coalition of fifty attorneys general has reached a settlement with Marriott International, resolving a years-long investigation into a data breach of its guest reservation database. The Federal Trade Commission reached a separate settlement with Marriott.

Marriott has agreed to strengthen its data security practices, offering its guests new protections, and paying a total of $52 million to the States. Iowa will receive $594,105 from the settlement. For years, intruders had undetected access to Marriott’s database that exposed 131.5 million guest records. These hacked records included contact information, gender, dates of birth, preferred-guest information, reservation information, and hotel-stay preferences, as well as some passport numbers and payment-card information.

“No Iowans should have to fear that when they take a family vacation, their data will be exploited by hackers,” said AG Bird. “This settlement holds Marriott accountable for exposing more than 131 million guest records, containing Americans’ personal data, and requires safeguards to ensure all future guests are protected.”

Fifty attorneys general launched an investigation into the breach. This settlement resolves the case made by attorneys general that Marriott violated state consumer-protection laws, personal- information protection laws, and breach-notification laws by failing to implement proper security measures.

Marriott has agreed to the following measures to strengthen its cybersecurity practices:

  • Implementation of an Information Security Program. This program includes incorporating zero-trust principles, mandating regular security reporting within the company, and enhancing employee training on data handling and security.
  • Reduction of guest data being collected and retained.
  • Addition of safeguards to detect and prevent hackers who attempt to infiltrate the network.
  • Increase in oversight for vendors and franchisees, especially relating to IT, as well as more clearly outlining contracts with cloud providers.
  • If Marriott acquires future entities, it must timely assess each entity’s security programs and develop plans to address any inadequacies.
  • Third-party reviews of Marriott’s information security program every two years for a period of twenty years.

Iowa joined the Connecticut, District of Columbia, Illinois, Louisiana, Maryland, Massachusetts, North Carolina, Oregon, and Texas-led multistate investigation. They were joined by Alabama, Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Kansas, Kentucky, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, New York, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

Read the full settlement here.

Support the River Cities' Reader

Get 12 Reader issues mailed monthly for $48/year.

Old School Subscription for Your Support

Get the printed Reader edition mailed to you (or anyone you want) first-class for 12 months for $48.
$24 goes to postage and handling, $24 goes to keeping the doors open!

Click this link to Old School Subscribe now.



Help Keep the Reader Alive and Free Since '93!

 

"We're the River Cities' Reader, and we've kept the Quad Cities' only independently owned newspaper alive and free since 1993.

So please help the Reader keep going with your one-time, monthly, or annual support. With your financial support the Reader can continue providing uncensored, non-scripted, and independent journalism alongside the Quad Cities' area's most comprehensive cultural coverage." - Todd McGreevy, Publisher