Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
The FTC is forcing Marriott to reconsider its policy after years of data protection breaches.
Marriott International and its subsidiary Starwood Hotels will pay $52 million and create a comprehensive information security program to settle cases of large-scale data breaches from 2014 to 2020 that affected more than 344 million customers.
As part of the agreement, Marriott and Starwood are required to implement a comprehensive data protection program and provide U.S. customers with the ability to request deletion of their personal data.
Marriott International is a large hotel corporation that manages more than 7,000 properties around the world. In 2016, Marriott acquired Starwood Hotels, which gave it responsibility for ensuring the security of customer data of both companies.
The FTC noted several instances where Marriott failed to adequately protect its customers' data:
The FTC accuses Marriott and Starwood of misleading customers about their data security policies. Among the main problems were weak passwords, outdated software and lack of proper control over the IT infrastructure.
Under the terms of the agreement, Marriott and Starwood are obligated to:
Marriott has also entered into a separate agreement with 49 U.S. states and the District of Columbia, under which it has pledged to pay $52 million to settle claims related to the incidents described above.
Source
Marriott International and its subsidiary Starwood Hotels will pay $52 million and create a comprehensive information security program to settle cases of large-scale data breaches from 2014 to 2020 that affected more than 344 million customers.
As part of the agreement, Marriott and Starwood are required to implement a comprehensive data protection program and provide U.S. customers with the ability to request deletion of their personal data.
Marriott International is a large hotel corporation that manages more than 7,000 properties around the world. In 2016, Marriott acquired Starwood Hotels, which gave it responsibility for ensuring the security of customer data of both companies.
The FTC noted several instances where Marriott failed to adequately protect its customers' data:
- The first incident occurred in 2014, when Starwood suffered a data breach that compromised customers' payment cards. The leak went undetected for 14 months, which increased the risks for affected users.
- The second incident involved hackers accessing 327 million Starwood customer accounts, including 5.25 million unencrypted passport numbers. The leak occurred in July 2014, but it wasn't discovered until 2018, leaving customers vulnerable for several years.
- The third incident has already directly affected Marriott. In 2020, attackers gained access to the data of 5.2 million customers, including their names, email addresses, postal addresses, phone numbers, dates of birth, and information about their loyalty accounts. However, Marriott was only able to detect the leak in February 2020.
The FTC accuses Marriott and Starwood of misleading customers about their data security policies. Among the main problems were weak passwords, outdated software and lack of proper control over the IT infrastructure.
Under the terms of the agreement, Marriott and Starwood are obligated to:
- Establish a comprehensive data protection program with external assessments every 2 years and annual certification for 20 years.
- Limit the storage of data to the necessary minimum and inform customers about the reasons for its collection.
- Provide customers with the ability to request a check of unauthorized activity in accounts and restore lost bonus points.
- Provide customers with the ability to request deletion of personal information associated with their email or loyalty program account.
- Ensure transparency in data protection matters and prohibit any distortions regarding how personal data is processed.
Marriott has also entered into a separate agreement with 49 U.S. states and the District of Columbia, under which it has pledged to pay $52 million to settle claims related to the incidents described above.
Source
