/cdn.vox-cdn.com/uploads/chorus_asset/file/25803928/2180591145.jpg?w=696&resize=696,0&ssl=1 "FTC Directs Marriott and Starwood to Enhance Their Data Security Measures")
/cdn.vox-cdn.com/uploads/chorus_asset/file/25803928/2180591145.jpg?w=1200&resize=1200,0&ssl=1&description=FTC+Directs+Marriott+and+Starwood+to+Enhance+Their+Data+Security+Measures){kind=link}
Photo credit: www.theverge.com
FTC Orders Marriott and Starwood to Enhance Data Security After Major Breaches
The Federal Trade Commission (FTC) recently finalized an order compelling Marriott International and its subsidiary, Starwood Hotels, to significantly enhance their data security measures. This decision comes in response to a series of substantial data breaches affecting over 344 million customers globally. Reported by BleepingComputer, the breaches occurred in 2015, 2018, and 2020, compromising various sensitive customer information, including passport details and payment card data.
Details emerging from the investigation reveal concerning lapses in the companies’ security practices. The shortest breach lasted 14 months undetected, while the most prolonged incident allowed intruders continued access for four years, beginning in 2018. As part of the new order, Marriott and Starwood are mandated to implement robust security policies. These include protocols for data retention, ensuring that customer information is kept only for as long as necessary, and establishing a clear process for customers to request the deletion of their data tied to email addresses or loyalty accounts.
Hotels have increasingly become targets for cyberattacks, with the hospitality industry facing heightened scrutiny due to its vulnerability to ransomware and other malicious activities. A recent incident involved MGM Resorts, where even FTC Chair Lina Khan found herself inconvenienced due to a ransomware attack that forced the company to revert to manual check-in processes.
In October, the FTC publicly announced its charges against Marriott and Starwood, claiming they had “deceived consumers” by making unsubstantiated claims regarding the adequacy of their data security measures. Specific failings included weak password management, inadequate firewall protections, and the neglect of software that required urgent updates. Coinciding with the FTC’s announcement, the Connecticut Attorney General’s office disclosed that Marriott had agreed to a $52 million settlement related to the breaches.
In addition to enhancing security protocols, the companies are prohibited from misrepresenting their practices regarding the collection, maintenance, usage, and disposal of personal information. They are also required to maintain compliance records and are subject to potential inspections by the FTC. This comprehensive order is set to remain in effect for the next two decades, aiming to safeguard consumer data more effectively.
Source
www.theverge.com