- The FTC imposes strict rules on the Marriott Hotel chain
- Three massive data breaches at the Marriott left hundreds of millions of customers exposed
- FTC says the company failed to implement proper security measures
The Federal Trade Commission (FTC) has ordered Marriott International and Starword Hotels to implement a robust system for securing customer data after multiple security failures in recent years.
Between 2015 and 2020, Marriott suffered three massive data breaches, exposing the data of more than 344 million customers around the world, including passport data, payment cards and other personally identifiable information.
Under the ruling, Marriott must now establish and maintain a comprehensive information security program, which includes encryption, access control, multi-factor authentication and incident response. In addition, it must also monitor all IT assets to detect security events, and enforce policies to retain personal information only for as long as necessary.
Poor security practices
Independent, biennial reviews of information security programs must also be conducted, and any identified security gaps or breaches must be reported to the FTC within ten days, and these conditions will be enforced for the next twenty years.
Customers now have the ability to review suspected unauthorized activity on their accounts and request that their data and personal information be deleted from Marriott’s systems.
The company admitted that major security lapses allowed hackers to gain access to customer data, and by not using secure encryption, Marriott left itself vulnerable to an inevitable large-scale cyber attack.
As a result, it is estimated that hackers had access to Marriott systems for up to four years, and these breaches earned the company a $52 million fine from the FTC earlier this year, as the FTC argued that the company tried to hide the breaches. and “mislead consumers by claiming that they have reasonable and appropriate data security.”
Via BleepingComputer