Attorney General Ken Paxton has secured a settlement with Marriott International, Inc., that resolves an investigation into a breach of one of the company’s reservation databases.
The breach exposed 131 million guest records pertaining to customers in the United States and these records included contact information, gender, dates of birth, legacy Starwood Preferred Guest information, reservation information, and hotel stay preferences, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
The Agreed Final Judgment entered in this case includes comprehensive injunctive terms to strengthen Marriott’s data security practices. Marriott’s information security program includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company including the Chief Executive Officer, and enhanced employee training on data handling and security.
“Texas law is clear that companies in possession of Texans’ personal information have a duty to safeguard that data,” said Attorney General Ken Paxton. “Given the frequency of cyberattacks today, it is simply unreasonable for companies to lack a comprehensive risk-based data security program. Through this settlement, customers will be much better protected. I will continue to fight for our citizens’ privacy and data security.”
Marriott will also make a $52 million payment to the 50 states participating in this settlement, including $3.5 million to the State of Texas.