Marriott and Starwood Hotels Ordered to Boost Data Security by FTC

Elliot Kim

Elliot Kim

December 24, 2024 · 3 min read
Marriott and Starwood Hotels Ordered to Boost Data Security by FTC

The Federal Trade Commission (FTC) has finalized an order requiring Marriott International and its subsidiary Starwood Hotels to significantly improve their digital security measures. This move comes after the companies suffered multiple data breaches, resulting in the exposure of sensitive customer information, including passport details and payment cards.

The FTC charged Marriott and Starwood with failing to protect consumers' personal information with "reasonable security," citing lax security practices that led to three major breaches detected in 2015, 2018, and 2020. The longest breach lasted an alarming four years, starting in 2018, while the shortest breach persisted for 14 months before being detected.

As part of the order, Marriott and Starwood have agreed to establish beefed-up security programs, including creating policies to only keep customer information for as long as it's needed. Additionally, the companies will publish a link allowing US customers to request the deletion of information tied to their email address or loyalty account. This move is seen as a significant step towards enhancing customer data protection.

Hotels have become a prime target for hackers in recent years, with a ransomware attack on MGM Resorts last year forcing the company to revert to using pen and paper. The FTC's action serves as a warning to other companies in the hospitality industry to prioritize customer data security.

In October, the FTC announced its charges against Marriott and Starwood, accusing the companies of deceiving consumers with false claims of "reasonable and appropriate data security." The alleged failures included poor password and firewall practices, as well as failing to patch outdated software and systems. On the same day, the Connecticut Attorney General's office announced that Marriott had agreed to a $52 million settlement.

Beyond improving their security, the companies are now prohibited from misrepresenting how they collect, maintain, use, delete, or disclose consumers' personal information. They are also required to keep compliance records and submit to FTC inspections. The order will remain in effect for 20 years, ensuring that Marriott and Starwood prioritize customer data security for the long haul.

The FTC's action highlights the importance of robust data security measures in the digital age. As companies continue to collect and store vast amounts of customer data, they must prioritize protecting that information from cyber threats. The Marriott and Starwood case serves as a cautionary tale, emphasizing the need for companies to invest in robust security measures to avoid similar breaches and protect their customers' sensitive information.

Similiar Posts

Copyright © 2024 Starfolk. All rights reserved.