WASHINGTON (Reuters) -The U.S. Federal Trade Commission said on Wednesday it will require Marriott International (NASDAQ:MAR) and its subsidiary Starwood Hotels & Resorts Worldwide (NYSE:HOT) to put in place an information security program to settle charges over multiple data breaches from 2014 to 2020.
The three large data breaches, which took place from 2014 to 2020, affected more than 344 million customers worldwide, the FTC said.
"Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
Marriott and Starwood also agreed to provide its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number. Marriott will also be required to review loyalty rewards accounts upon customer request and restore stolen loyalty points, the FTC said.
In a separate settlement also announced on Wednesday, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations, the FTC said.
"Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats," Marriott said in a statement after the settlement was announced.
"As indicated in the agreements with the FTC and the state Attorneys General, Marriott makes no admission of liability with respect to the underlying allegations," the statement said.
Marriott also faced a London class action suit in 2020 brought by millions of former guests demanding compensation after their personal records were hacked in one of the largest data breaches in history.