Marriott to Pay $52 Million, Upgrade Cybersecurity, to Settle Probes into Three Big Breaches
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” according to the FTC.
The Federal Trade Commission (FTC) has ordered Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement a “comprehensive information security program” after the hotel giant suffered three major data breaches from 2014 to 2020 that exposed the personal information of 344 million customers worldwide.
In a separate settlement announced Wednesday—which involved all 50 state attorneys general—Marriott agreed to pay $52 million in penalties in connection with two of the breaches, which ran from 2014 to 2018 and exposed 131 million Starwood guest records.
The enforcement actions highlight the cybersecurity risks companies face when they make large acquisitions, and serve as a stark reminder not to let inherited vulnerabilities go unnoticed. Two of the three breaches occurred at Starwood and began before Marriott bought its lodging rival for $13 billion in 2016, with one going undetected for 14 months and the other going undetected until 2018.
In connection with the FTC settlement, the agency released a complaint and consent order alleging that Marriott misled customers by claiming to have appropriate data security measures in place while, in reality, the hotel chain did not. In fact, Marriott and Starwood failed to implement proper password controls, access controls, or firewall protections, and also neglected to patch outdated software, properly log and monitor their network environments, or use adequate multifactor authentication, according to the FTC.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement Wednesday. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
As part of the FTC settlement, Marriott and Starwood must:
- Accurately represent how they handle and protect personal information.
- Limit how long they keep personal data to only what is necessary, and explain why the information is collected and retained.
- Create and maintain a comprehensive information security program, certifying compliance to the FTC every year for the next 20 years.
- Offer a way for customers to review unauthorized activity in loyalty accounts and return any stolen points.
- Provide a link for customers to request deletion of their personal information.
In a statement, Marriott said that it has already started improving its data privacy and security programs. It is now offering U.S. customers a way to request that their personal information be deleted, providing an online portal for Marriott Bonvoy members to report suspicious activity in their loyalty accounts, and rolling out a multifactor authentication option for Marriott Bonvoy accounts.
“Protecting guests’ personal data remains a top priority for Marriott,” the company said. “These resolutions reaffirm the company’s continued focus on, and significant investments in, maintaining and adapting programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
The FTC and states said they worked jointly on the probe. The FTC said its settlement does not include a civil penalty because it lacks the legal authority to obtain one in this case.
From: Corporate Counsel