Michigan to receive over $1 million as part of Marriott data breach settlement
Michigan is getting over $1 million of a $52 million settlement reached between Marriott and a coalition of 50 Attorneys General.
Michigan Attorney General Dana Nessel, who announced the settlement in a statement Friday, was part of the coalition and said the state will receive just over $1.2 million from the settlement.
This comes after an investigation into a multi-year data breach of one of its guest reservation databases. The Federal Trade Commission and the states ran parallel investigations into the breach.
As a result, "malicious actors" obtained the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information from hundreds of millions of consumers around the U.S., according to the FTC's proposed complaint.
The FTC claimed that Marriott and subsidiary Starwood Hotels & Resorts Worldwide's poor data security practices led to the breaches. Specifically, the agency alleged that the hotel operator failed to secure its computer system with appropriate password controls, network monitoring or other practices to safeguard data.
"Companies we trust to handle our sensitive information must provide robust cyber security measures to protect consumers from breaches," Nessel said in the statement.
As part of a proposed settlement with the FTC, Marriott agreed to "implement a robust information security program" and provide all of its U.S. customers with a way to request that any personal information associated with their email address or loyalty rewards account number be deleted.
In a statement on its website Wednesday, Bethesda, Maryland-based Marriott noted that it made no admission of liability as part of its agreements with the FTC and states. It also said it has already put in place data privacy and information security enhancements.
In early 2020, Marriott noticed that an unexpected amount of guest information was accessed using login credentials of two employees at a franchised property. At the time, the company estimated that the personal data of about 5.2. million guests worldwide might have been affected.
In November 2018, Marriott announced a massive data breach in which hackers accessed information on as many as 383 million guests. In that case, Marriott said unencrypted passport numbers for at least 5.25 million guests were accessed, as well as credit card information for 8.6 million guests. The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016.
The FBI led the investigation of that data theft, and investigators suspected the hackers were working on behalf of the Chinese Ministry of State Security, the rough equivalent of the CIA.
Earlier this year, a criminal cyberattack caused disruptions to information technology and phone systems at McLaren Health Care.
