Marriott and Starwood ordered to implement security overhaul in FTC settlement
The U.S. Federal Trade Commission has finalized an order requiring Marriott International Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a comprehensive information security program to settle charges following multiple hacks of the hotel group that led to the theft of details of 344 million customers globally.
In its complaint, the FTC mentions three hacks targeting the hotel and resort group, with the largest hack occurring in 2018, which at the time was reported to have involved 500 million customer records. Marriot and Starwood were subsequently hacked again twice in 2022 - March 2022 with the theft of 5.2 million records and a second hack that year in July.
The FTC complaint charged that Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security when they failed to deploy reasonable security to protect consumers' personal information. "These security failures resulted in at least three separate data breaches that enabled malicious actors to obtain vast amounts of personal information from hundreds of millions of consumers, including passport information, payment card numbers, and loyalty numbers," the complaint states.
Under the order, Marriott and Starwood are required to establish a comprehensive information security program to safeguard customer information, implement a policy to retain personal information only for as long as is reasonably necessary and establish a link on their websites for U.S. customers to request that personal information associated with their email address or loyalty rewards account be deleted.
The order also requires Marriott to restore stolen loyalty points upon request from a customer.
To ensure that they don't misbehave again in the future, Marriott and Starwood are now prohibited from misrepresenting how they collect, maintain, use, delete, or disclose customer's personal information.
The Commission voted 3-2 in favor of the order, with two commissioners recusing themselves from the vote.
While neither Marriott nor Starwood have experienced another hack since 2020, the fact that they managed to hit a hattrick in the space of three years indicates gross corporate negligence. Irrespective of the FTC order, it's unlikely that the companies will allow the same to happen again if they can help it.