Breaches

FTC Orders Marriott and Starwood to Enhance Data Security Measures

Marriott and Starwood data security measures updated by FTC order.

The Federal Trade Commission's Order on Marriott: A Push for Better Digital Security

On a recent Friday, the Federal Trade Commission (FTC) announced a significant step in protecting consumer data by finalizing an order requiring Marriott International and its subsidiary Starwood Hotels to enhance their digital security measures. This decision comes in the wake of multiple security breaches that left sensitive customer information vulnerable.

The Breaches: A Timeline of Security Failures

Marriott's security troubles began with three major breaches detected in 2015, 2018, and 2020, affecting over 344 million customers globally. These incidents resulted in the exposure of critical data, including passport details, payment card information, and other personal data. Notably:

  • The shortest breach lasted an alarming 14 months before detection.
  • The longest breach saw attackers maintain unauthorized access for nearly four years starting in 2018.

New Security Measures and Policies

In response to these breaches, Marriott and Starwood have agreed to implement improved security protocols, including:

  • Establishing policies to retain customer information only as long as necessary.
  • Publishing a link that allows U.S. customers to request the deletion of information associated with their email or loyalty accounts.

Such actions represent a crucial shift in the way the hospitality industry handles customer information.

The Growing Threat to the Hospitality Industry

Hotels have increasingly become prime targets for cybercriminals. In fact, a ransomware attack last year affecting MGM Resorts left guests and FTC Chair Lina Khan stuck waiting in line, as the resort reverted to using pen and paper to manage check-ins.

FTC Enforcement and Future Compliance

The FTC charged Marriott and Starwood with deceiving consumers by falsely claiming to have "reasonable and appropriate data security" practices. The companies were criticized for:

  • Implementing weak password and firewall protocols.
  • Failing to patch outdated software and systems.

As part of the order, Marriott is prohibited from making any misrepresentations about its data handling practices, including how it collects, maintains, and deletes customer data. These requirements will remain in effect for 20 years.

Additionally, the company will need to keep compliance records and submit to FTC inspections, ensuring accountability in its data protection efforts.

The Settlement and Consumer Protection

On the same day the FTC revealed its charges, the Connecticut Attorney General’s office announced that Marriott had agreed to a $52 million settlement related to the breaches. This settlement underscores the serious consequences companies can face when they fail to protect consumer data.

In conclusion, as digital security continues to be a pressing issue across industries, Marriott’s case serves as a reminder of the critical need for businesses to prioritize customer data protection and implement robust security measures.

前後の記事を読む

Brendan Carr warns Disney CEO Bob Iger about media censorship implications.
xAI logo with Nvidia and AMD logos, representing funding success.

コメントを書く

全てのコメントは、掲載前にモデレートされます

このサイトはhCaptchaによって保護されており、hCaptchaプライバシーポリシーおよび利用規約が適用されます。