The Federal Trade Commission (FTC) has finalised an order requiring Marriott International and its subsidiary Starwood Hotels to enhance their data security practices significantly. This follows a series of major data breaches that compromised sensitive customer information, including passport details and payment card data.
Major breaches highlight security lapses
The breaches, identified in 2015, 2018, and 2020, exposed the personal information of over 344 million customers globally. The most severe incident allowed hackers to remain undetected within the systems for four years, from 2018 to 2022. Another breach lasted 14 months before detection.
The FTC accused Marriott and Starwood of failing to implement adequate security measures, leaving their systems vulnerable. Shortcomings included poor password management, weak firewall practices, and failure to update outdated software and systems. The companies were criticised for misleading customers by claiming “reasonable and appropriate data security” measures.
Strengthening security and customer transparency
Marriott and Starwood must implement comprehensive data security policies as part of the FTC’s directive. These include:
- Retaining customer information only for as long as necessary.
- Providing a public link for US-based customers to request the deletion of personal information tied to their email addresses or loyalty accounts.
Additionally, the companies are barred from misrepresenting how they handle personal data. They must be transparent about their processes for collecting, maintaining, using, deleting, and protecting consumer information.
The FTC order also mandates that Marriott and Starwood:
- Maintain compliance records.
- Undergo periodic inspections by the FTC.
- Comply with these requirements for the next 20 years.
This isn’t the only financial penalty Marriott has faced. On the same day the FTC announced the charges, Marriott agreed to a $52 million settlement with the Connecticut Attorney General’s office.
Hotels as prime hacking targets
Hotels remain attractive targets for cyberattacks due to the vast amount of sensitive information they collect. The hospitality industry has faced increased scrutiny following high-profile incidents, such as the 2023 ransomware attack on MGM Resorts. This breach caused significant disruptions, including delayed check-ins and operations reverting to pen-and-paper methods.
FTC Chair Lina Khan emphasised the importance of robust cybersecurity in the hospitality sector, highlighting the widespread impact such breaches can have on customers and business operations.
With the FTC’s oversight now in place, Marriott and Starwood are expected to adopt stricter protocols to protect consumer data, helping restore customer trust in their brands.
