FTC Holds Marriott and Starwood Accountable for Extensive Data Breaches

CybersecurityPhoto by Kevin Ku on Pexels.com

WASHINGTON, D.C. — The Federal Trade Commission (FTC) has mandated that Marriott International, Inc. and its subsidiary, Starwood Hotels & Resorts Worldwide LLC, implement a comprehensive information security program to address severe lapses that led to significant data breaches from 2014 to 2020. These breaches compromised the personal information of over 344 million customers globally, prompting the FTC to take decisive action to protect consumer data.

The FTC’s proposed settlement order comes in response to allegations that Marriott and Starwood failed to uphold reasonable data security measures, thereby deceiving consumers about the protection of their personal information. The companies are accused of neglecting essential security protocols, such as effective password management, access controls, and network segmentation, which contributed to multiple breaches over several years.

The first significant breach occurred in June 2014, involving the payment card details of over 40,000 Starwood customers. This breach remained undetected for over a year, highlighting a critical failure in the companies’ monitoring systems. A subsequent breach, beginning in July 2014, went unnoticed until September 2018, during which time hackers accessed 339 million guest account records worldwide, including millions of unencrypted passport numbers. The most recent breach, affecting Marriott’s own network from 2018 to 2020, exposed 5.2 million guest records, underscoring the ongoing security vulnerabilities.

Under the terms of the settlement, Marriott and Starwood are required to establish a robust information security program that will be subject to independent audits every two years for the next two decades. This program must include rigorous safeguards to protect consumer data and ensure compliance with privacy standards.

READ:  FTC Takes Action Against IntelliVision Over Misleading AI Claims

In addition to strengthening their cybersecurity measures, Marriott and Starwood must provide U.S. customers with options to request the deletion of personal information linked to their email or loyalty rewards accounts. They are also required to review and restore any stolen loyalty points upon customer request, thereby directly addressing the impact on affected consumers.

The FTC’s action is complemented by a separate agreement in which Marriott will pay a $52 million penalty to 49 states and the District of Columbia to settle similar data security allegations. This cooperative effort between the FTC and state authorities underscores the gravity of the breaches and the need for comprehensive reform in data management practices.

FTC Director of the Bureau of Consumer Protection, Samuel Levine, emphasized the importance of this settlement, stating that “Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.” The FTC’s coordinated efforts aim to hold Marriott accountable and ensure improvements in data security practices across its extensive global network of properties.

This settlement serves as a critical reminder of the necessity for corporations to maintain robust data protection measures, particularly when handling sensitive consumer information. As the FTC continues to enforce stringent security standards, consumers are encouraged to remain vigilant and informed about how their personal data is managed by service providers.

For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.