Have you stayed at a Marriott? Here's what its settlement with the FTC means for you
The FTC has come down hard on hotel chain Marriott following a series of data breaches between 2014 and 2020 that harmed more than 344 million customers worldwide.
In an Oct. 9 news release announcing a settlement order with the company, the agency said that Marriott must delete any personal data associated with a customer’s account upon request and restore any loyalty points lost because of the breaches. Further, the chain must dramatically tighten its security to better protect customers from future cyberattacks.
Also: Why you should power off your phone at least once a week – according to the NSA
Marriott acquired Starwood in 2015, creating the world’s largest hotel company. But, the years since have been problematic for the chain, at least when it comes to cybersecurity.
In its complaint, the FTC charged that the company failed to secure customer data in at least three separate data breaches. As a result, hackers were able to steal user information such as payment card numbers, loyalty numbers, passport data, dates of birth, and email addresses.
Also: How to use the Private Space feature in Android 15 – and secure your sensitive data
Specifically, Marriott and Starwood failed to set up proper password controls, access controls, firewall controls, or network segmentation, according to the FTC. The chain also neglected to patch outdated software and systems, monitor network environments, and implement effective multi-factor authentication. The company deceived its customers, the FTC added, by claiming to have reasonable and appropriate security in place.
Starting in June 2014, the first breach affected more than 40,000 Starwood customers and went undetected for 14 months. Starting in July 2014, the second breach led to the theft of 339 million Starwood guest account records and 5.25 million unencrypted passport numbers and was undetected until September 2018.
Also: Cash App users have less than a month to claim up to a $2,500 settlement payout
In September 2018, the third breach impacted more than 5.2 million guest records, capturing names, mailing addresses, email addresses, phone numbers, and loyalty card information. This one went undetected until February 2020.
As a result of all these breaches, the chain has faced a slew of lawsuits and fines. In another settlement with 50 state attorneys general also announced on Oct. 9, Marriott will have to pay a fine of $52 million. This one stems from the breach of its Starwood guest account database. With this settlement and the one with the FTC, the company has its work cut out for it.
Also: Why remove Russian maintainers of Linux kernel? Here’s what Torvalds says
For Marriott customers, the FTC settlement means the following:
- You can ask the company to review your Bonvoy account for unauthorized or suspicious activity. If any loyalty points are stolen as a result, the company will be required to restore them.
- Using the Marriott website or mobile app, you can request the deletion of any personal data associated with your email address or Bonvoy account number.
- You’ll now be able to set up multi-factor authentication on your Bonvoy account to better secure it.
- The company’s privacy policy must clearly explain why it’s collecting and keeping your personal data.
To beef up its cybersecurity, Marriott will also have to address the following:
- The chain must set up a comprehensive security program that includes multi-factor authentication, encryption, and other safeguards.
- It will have to cooperate with third-party audits of its information security program.
- It can keep and store personal customer information only if there’s a business need.
- The company can use the information it collects only for the stated purpose.
- It must delete any information it has collected when no longer needed.
- It cannot use any data that was supposed to be deleted for marketing reasons.
There’s even more on Marriott’s plate as a result of the settlement with the state attorneys general.
Also: Fidelity breach exposed the personal data of 77,000 customers
As part of its information security program, the company must establish zero-trust principles, regular security reporting to the CEO, and employee training on data handling and security.
To better protect customer data, Marriott must implement several measures, including component hardening, asset inventory, encryption, network segmentation, patch management, intrusion detection, user access controls, and the tracking of files and users within the network.
Also: Why you don’t need to pay for antivirus software anymore
The hotel chain must also increase its security oversight of vendors and franchisees, paying special attention to risk assessments for critical IT vendors and cloud providers. If Marriott acquires another company in the future, it must analyze that business’s security and develop plans to identify and correct any gaps or weaknesses in its program.
Finally, Marriott will have to submit to an independent third-party review of its information security program every two years for up to 20 years.
Also: The best travel VPNs: Expert tested and reviewed
“The recent settlements imposed on Marriott serve as a reminder of the increasing accountability businesses and their security leaders face regarding data security,” Darren Guccione, CEO, and co-founder at Keeper Security told ZDNET.
“The required implementation of a comprehensive information security program sets a benchmark for other companies to follow, and is a clear message from the FTC that negligence in protecting customer data can lead to substantial penalties and lasting reputational damage,” Guccione added. “Business leaders are now on notice that they must prioritize cybersecurity more than ever before. For consumers, the right to request data deletion and improved protection of loyalty accounts provide some reassurance that their privacy is being taken seriously.”