FTC Orders Marriott International and Starwood Hotels to Improve Digital Security Practices After Multiple Data Breaches
news
2 min read
The Federal Trade Commission has finalized an order requiring Marriott International and subsidiary Starwood Hotels to significantly improve their digital security practices. The move comes in response to three major data breaches detected in 2015, 2018, and 2020, which collectively affected over 344 million customers worldwide.
According to the FTC, these breaches resulted from Marriott’s and Starwood’s failure to adequately protect consumer information, including passport details, payment cards, and other sensitive data. The company’s inadequate security measures allowed hackers to maintain access for up to four years in one instance.
As part of the agreement, Marriott International must establish new policies ensuring that personal information is only retained as long as it is necessary. Additionally, the companies will be required to publish a link allowing US customers to request deletion of information tied to their email address or loyalty account.
The FTC had previously charged Marriott and Starwood with deceptive practices in October, alleging that they made false claims about having “reasonable and appropriate data security.” The agency found that these breaches were the result of inadequate password management, poor firewall practices, and failure to patch outdated software and systems.
In a separate incident last year, MGM Resorts was forced to revert to pen and paper due to a ransomware attack that compromised customer data. This highlights the ongoing vulnerability of hotels as targets for hackers.
Marriott International has agreed to settle these charges with a $52 million payment. The agreement also prohibits the companies from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information, and ensures they do not compromise privacy, security, availability, confidentiality, or integrity of that data.
Furthermore, Marriott will be required to keep detailed compliance records and submit to regular inspections by the FTC. The agreement will remain in effect for 20 years.
This development underscores the critical need for hotels and other companies handling sensitive consumer information to prioritize robust digital security measures to protect against increasingly sophisticated cyber threats.
Source: http://www.theverge.com
