BleepingComputer reports that the Federal Trade Commission announced on Friday that it has finalized an order (pdf) requiring Marriott International and its subsidiary Starwood Hotels to improve their digital security. The FTC said three large-scale breaches were discovered in 2015, 2018, and 2020 that “affected more than 344 million customers around the world,” including information about passport details, payment cards, and other Both companies were accused of lax security practices that led to the information leak.
The shortest breach lasted 14 months before being detected, while the longest breach saw attackers maintain access for four years starting in 2018. The enhanced security program we have agreed to establish includes the creation of policies that will only retain information for certain periods of time. We do this by publishing a link that allows U.S. customers to request deletion of their email address or information associated with their loyalty account.
Hotels are one of hackers’ primary targets, and when a ransomware attack forced MGM Resorts to resort to pen and paper last year, FTC commissioners were among the many people waiting to check in. There was also an incident in which the head of the group, Lina Khan, was arrested.
The FTC issued a complaint in October, accusing the companies of “deceiving consumers” with false claims of “reasonable and adequate data security.” Their alleged failures include improper use of passwords and firewalls, and failure to patch outdated software and systems. On the same day the FTC disclosed its charges, the Connecticut Attorney General’s Office announced that Marriott had agreed to a $52 million settlement.
In addition to improving security, companies are now prohibited from “misrepresenting how they collect, maintain, use, delete, or disclose consumers’ personal information.” The extent to which the company protects the privacy, security, availability, confidentiality, and integrity of personal information. ” Other requirements include maintaining compliance records and submitting them to FTC inspection. This order will remain in effect for 20 years.