- Beats' freshest headphones sound great - and they're 50% off for Prime Day
- Top Best Buy deals for October Prime Day 2024: Last chance
- Best Prime Day monitor deals to shop in Ocotber 2024: Last chance
- Best Prime Day gaming deals to shop in October 2024: Last chance to save up to $1,000
- If you're a Marriott customer, FTC says the breach-plagued hotel chain owes you
If you're a Marriott customer, FTC says the breach-plagued hotel chain owes you
The FTC has come down hard on hotel chain Marriott following a series of data breaches between 2014 and 2020 that harmed more than 344 million customers around the world.
In a Wednesday news release announcing a settlement order with the company, the agency said that Marriott must delete any personal data associated with a customer’s account upon request and restore any loyalty points lost as a result of the breaches. Further, the chain will have to dramatically tighten its security to better protect customers from future cyberattacks.
Also: How to use public Wi-Fi safely: 5 things to know before you connect
Marriott acquired Starwood in 2015, creating the world’s largest hotel company. But the years have been problematic for the chain, at least when it comes to cybersecurity.
In its complaint, the FTC charged that the company failed to secure customer data in at least three separate data breaches. As a result, hackers were able to steal such user information as payment card numbers, loyalty numbers, passport data, dates of birth, and email addresses.
Specifically, Marriott and Starwood failed to set up proper password controls, access controls, firewall controls, or network segmentation, according to the FTC. The chain also neglected to patch outdated software and systems, monitor network environments, and implement effective multi-factor authentication. The company deceived its customers, the FTC added, by claiming to have reasonable and appropriate security in place.
Starting in June 2014, the first breach affected more than 40,000 Starwood customers and went undetected for 14 months. Starting in July 2014, the second breach led to the theft of 339 million Starwood guest account records and 5.25 million unencrypted passport numbers and was undetected until September 2018.
Starting in September 2018, the third breach impacted more than 5.2 million guest records, capturing names, mailing addresses, email, addresses, phone numbers, and loyal card information. This one went undetected until February 2020.
With all these breaches, the chain has faced a slew of lawsuits and fines. In another settlement with 50 state attorneys general announced on Wednesday, Marriott will have to pay a fine of $52 million. This one stems from the breach of its Starwood guest account database. With this settlement and the one with the FTC, the company has its work cut out for it.
Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online
For Marriott customers, the FTC settlement means the following:
- You can ask the company to review your Bonvoy account for unauthorized or suspicious activity. If any loyalty points were stolen as a result, the company will be required to restore them.
- Using the Marriott website or mobile app, you can request the deletion of any personal data associated with your email address or Bonvoy account number.
- You’ll now be able to set up multi-factor authentication on your Bonvoy account to better secure it.
- The company’s privacy policy must clearly explain why it’s collecting and keeping your personal data.
To beef up its cybersecurity, Marriott will also have to address the following:
- The chain must set up a comprehensive security program that includes multi-factor authentication, encryption, and other safeguards.
- It will have to cooperate with third-party audits of its information security program.
- It can keep and store personal customer information only if there’s a business need.
- The company can use the information it collects only for the stated purpose.
- It must delete any information it has collected when no longer needed.
- It cannot use any data that was supposed to be deleted for marketing reasons.
There’s even more on Marriott’s plate as a result of the settlement with the state attorneys general.
Also: The best travel VPNs: Expert tested and reviewed
As part of its information security program, the company must establish zero-trust principles, regular security reporting to the CEO, and employee training on data handling and security.
To better protect customer data, Marriott must implement several measures, including component hardening, asset inventory, encryption, network segmentation, patch management, intrusion detection, user access controls, and the tracking of files and users within the network.
The hotel chain must also increase its security oversight of vendors and franchisees, paying special attention to risk assessments for critical IT vendors and cloud providers. If Marriott acquires another company in the future, it must analyze that business’s security and develop plans to identify and correct any gaps or weaknesses in its program.
Also: Were you caught up in the latest data breach? Here’s how to find out
Finally, Marriott will have to submit to an independent third-party review of its information security program every two years for up to 20 years.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in the news release. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
