The Federal Trade Commission (FTC) has taken action in response to significant data breaches at Marriott and Starwood, mandating the implementation of at least 13 specific changes to prevent future incidents.
Over 344 million customers were affected by three distinct security breaches that exposed sensitive information such as credit card data and passport details.
Overview of the Marriott and Starwood Data Breaches
The initial breach occurred back in 2018.
The Marriott International hotel chain has reported a significant breach of their customer database.
“Approximately 327 million guests’ information may have included a mix of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account details, birth date, gender, travel information, reservation dates, and communication preferences. Some customers’ details may also encompass payment card numbers and expiration dates, although these were encrypted with Advanced Encryption Standard (AES-128). At this time, Marriott has not confirmed whether both components needed to decrypt payment card numbers were compromised.”
Subsequent breaches followed this initial incident.
FTC Mandates 13 Security Changes
The FTC has mandated both Marriott and Starwood to enact comprehensive changes to avoid any recurrence of the vulnerabilities that led to these breaches.
According to the order, Marriott and Starwood must create a robust information security program aimed at protecting customers’ personal data, enforce a policy for retaining personal information only as long as necessary, and implement a feature on their website allowing U.S. customers to request deletion of personal information tied to their email or loyalty account number. Additionally, Marriott is instructed to review loyalty accounts upon request and restore any compromised loyalty points.
The companies are also prohibited from misrepresenting their practices regarding the collection, management, use, deletion, or disclosure of consumer personal data, as well as the degree of protection they afford to the privacy, security, accessibility, confidentiality, or integrity of that information.
The simplicity of many of these mandates highlights the severity of past deficiencies. For instance, companies must now accurately communicate their practices concerning personal data:
Respondents, including Respondents’ officers, agents, employees, and anyone else acting in concert with them who receive actual notice of this Order, must not misrepresent in any way, either explicitly or implicitly:
A. The collection, maintenance, use, deletion or disclosure of Personal Information by Respondents; and
B. The extent to which Respondents protect the privacy, security, availability, confidentiality, or integrity of Personal Information.
Additional requirements include employee training in data security, strategies for responding to security threats, the establishment of intrusion detection policies, and the implementation of two-factor authentication.
Photo by Jonathan Kemper on Unsplash
FTC: We use income earning auto affiliate links. More.