Oklahoma to receive $660,000 in settlement from Marriott over data breach lawsuit

The State of Oklahoma will receive $660,000 as part of a settlement resulting from a lawsuit against Marriott International, Inc. for violating consumer protection and data breach notification laws, as announced by the Oklahoma Attorney General’s Office.

 

The lawsuit originated from Marriott’s acquisition of Starwood Hotels and Resorts Worldwide, LLC, announced on November 16, 2015, for $12.2 billion. Following this acquisition, Marriott assumed control of Starwood’s computer network and began integrating its systems into Marriott’s infrastructure over a two-year period, which was completed in December 2018.

 

Despite this integration, the lawsuit alleges that Marriott failed to detect a significant breach within the Starwood network, neglecting its responsibility for information security following the acquisition. The breach was not discovered until September 7, 2018, and was publicly announced by Marriott on November 30, 2018. The incident exposed personal information from approximately 339 million consumer records globally, with around 131.5 million records pertaining to U.S. customers. The compromised information included sensitive data such as contact details, birth dates, payment card information, passport numbers, and customer preferences.

 

In a further incident in March 2020, Marriott reported that malicious actors had gained access to employee credentials, leading to unauthorized access to consumer data. This breach, which began in September 2018 and continued until December 2018, was followed by additional unauthorized access from January 2020 to February 2020, affecting over 5.2 million guest records, including 1.8 million associated with U.S. consumers.

 

The lawsuit contends that "Marriott and/or Marriott as successor to Starwood failed to provide reasonable or appropriate security for the personal information that it collected and maintained about consumers."

 

Oklahoma Attorney General Gentner Drummond is among 50 nationwide attorneys who have settled with Marriott. The settlement requires Marriott to enhance its data security practices and introduce new protections for its guests. Marriott has agreed to pay $52 million to the participating states as part of this settlement.