iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Marriott and its Starwood subsidiary have also agreed to improve their information security after data security failures.
The Marriott hotel chain and its Starwood subsidiary have agreed to undergo a comprehensive data security program to settle Federal Trade Commission charges that the companies failed to adequately protect customer data following three data breaches between 2014 and 2020 that saw the data of more than 344 million customers exposed.
Marriott and Starwood also agreed to offer customers the means to request their personal information be deleted and to have their customer loyalty programs reviewed and stolen loyalty points restored.
Marriott also agreed to pay US$52 million under a separate settlement to the District of Columbia and 49 states regarding similar security concerns.
The FTC proposed that Marriott and its subsidiary deceived its customers by “claiming to have reasonable and appropriate data security”, and yet it failed to deliver on that promise. According to the FTC, Marriott and Starwood did not have proper password, access, or firewall controls in place, nor proper network segmentation.
In addition, it had failed to properly update its software, log and monitor network activity, or employ multifactor authentication.
Because of these “security failures”, Marriott and its subsidiary suffered three data breaches in the space of six years. A 2014 breach impacting the credit card information of more than 40,000 customers went unnoticed for 14 months when Marriott finally informed customers, and a second 2014 breach, this time impacting 339 million guest records worldwide, remained undetected until September 2018.
The third breach occurred in 2018 but was not detected until 2020, this time affecting 5.2 million guest records. This breach compromised “names, mailing addresses, email addresses, phone numbers, month and day of birth, and loyalty account information”.
Under the settlement agreement, Marriott and Starwood will be required to implement a data minimisation policy, certify compliance with a robust data security program with the FTC each year for 20 years, review its loyalty rewards program, and provide a link where customers can request the deletion of their personal data.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.
“The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
