The Federal Trade Commission (FTC) has taken action against Marriott International, Inc. and its subsidiary, Starwood Hotels & Resorts, following a series of significant data breaches affecting over 344 million customers.
These breaches, occurring between 2014 and 2020, exposed sensitive personal data, including passport numbers, payment details, and loyalty account information. As part of a proposed settlement, Marriott and Starwood are required to overhaul their data security practices, implement a comprehensive security program, and offer customers a means to request the deletion of personal information.
Marriott International, a hospitality giant with over 7,000 properties worldwide, acquired Starwood in 2016 and inherited its security vulnerabilities. Despite claims of safeguarding consumer data, the FTC found that both companies failed to implement basic security measures such as password controls, firewalls, and network segmentation. Additionally, Marriott and Starwood neglected to patch outdated systems, monitor network environments, or deploy adequate multi-factor authentication.
Marriot's repeated failures at safeguarding client data
The FTC's complaint highlights three major breaches that resulted from poor security measures across Marriott and Starwood's IT infrastructure.
- The first breach, which occurred in June 2014, impacted the payment card information of more than 40,000 Starwood customers and went undetected for 14 months.
- A second, more extensive breach began in July 2014 and persisted until September 2018, exposing 339 million guest accounts globally, including 5.25 million unencrypted passport numbers.
- The final breach, spanning from September 2018 to February 2020, compromised 5.2 million Marriott guest records. The compromised data included names, contact details, and loyalty account information.
As part of the settlement agreement, Marriott and Starwood must establish and maintain a robust information security program. This program will require annual compliance certifications, independent third-party assessments every two years, and immediate corrective action in response to security incidents.
Additionally, the companies are prohibited from misrepresenting their data collection, maintenance, and security practices. They must also minimize data retention, holding on to personal information only as long as necessary for business purposes, and provide a clear process for customers to request the deletion of their data.
Alongside the FTC settlement, Marriott has agreed to a separate $52 million payment to 49 states and the District of Columbia, resolving similar allegations at the state level. The multi-state investigation, co-led by Connecticut, focused on Marriott's failure to secure the Starwood guest reservation database, which remained vulnerable even after the acquisition. As part of this settlement, Marriott will also adopt a risk-based cybersecurity framework, regularly assess security risks, and enhance employee training on data protection.
Internet Archive Hacked: Data of 31 Million Accounts Stolen
Leave a Reply