Marriott and Starwood ordered to implement security overhaul in FTC settlement

The U.S. Federal Trade Commission has finalized an order requiring Marriott International Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a comprehensive information security program to settle charges following multiple hacks of the hotel group that led to the theft of details of 344 million customers globally.

In its complaint, the FTC mentions three hacks targeting the hotel and resort group, with the largest hack occurring in 2018, which at the time was reported to have involved 500 million customer records. Marriot and Starwood were subsequently hacked again twice in 2022 – March 2022 with the theft of 5.2 million records and a second hack that year in July.

The FTC complaint charged that Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security when they failed to deploy reasonable security to protect consumers’ personal information. “These security failures resulted in at least three separate data breaches that enabled malicious actors to obtain vast amounts of personal information from hundreds of millions of consumers, including passport information, payment card numbers, and loyalty numbers,” the complaint states.

Under the order, Marriott and Starwood are required to establish a comprehensive information security program to safeguard customer information, implement a policy to retain personal information only for as long as is reasonably necessary and establish a link on their websites for U.S. customers to request that personal information associated with their email address or loyalty rewards account be deleted.

The order also requires Marriott to restore stolen loyalty points upon request from a customer.

To ensure that they don’t misbehave again in the future, Marriott and Starwood are now prohibited from misrepresenting how they collect, maintain, use, delete, or disclose customer’s personal information.

The Commission voted 3-2 in favor of the order, with two commissioners recusing themselves from the vote.

While neither Marriott nor Starwood have experienced another hack since 2020, the fact that they managed to hit a hattrick in the space of three years indicates gross corporate negligence. Irrespective of the FTC order, it’s unlikely that the companies will allow the same to happen again if they can help it.

Image: SiliconANGLE/Ideogram

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Related Content

MIT’s light-activated antiferromagnetic memory could replace today’s ferromagnets

Home for the holidays? Share this top cybersecurity advice with friends and family

Taiwan's FTC blocks Uber's $950M acquisition of Delivery Hero's Foodpanda, arguing it would decrease competition as their combined market share would be 90%+ (Bloomberg)

Leave a Comment