FTC orders Marriott and Starwood to boost cybersecurity following major incidents
Firms told they failed to implement ‘reasonable data security’
- The FTC is imposing strict rules on the Marriott Hotel chain
- Three huge data breaches from the Marriott led to hundreds of millions of customers being exposed
- FTC says the company failed to implement proper security measures
The Federal Trade Commission (FTC) has told Marriott International and Starword Hotels to implement a robust customer data security scheme following multiple security failures in recent years.
Between 2015 and 2020, Marriott suffered three huge data breaches, resulting in over the details of over 344 million customers across the world being exposed, including passport details, payment cards, and other personally identifiable information.
As per the ruling, Marriott must now establish and maintain a comprehensive information security program which includes encryption, access control, multifactor authentication, and incident response. Alongside this, it must also monitor all IT assets to detect security events, and maintain policies for retaining personal information only for as long as necessary.
Poor security practices
Independent, biennial assessments of information security programs must also be conducted, and any identified gaps or security breaches must be reported to the FTC within 10 days, and these terms will be enforced for the next 20 years.
Customers will now be given the option to review suspected unauthorized activity in their accounts, and to request that their data and personal information is deleted from Marriott systems.
The company admitted major security failings led to hackers being able to access customer data, and by failing to use secure encryption, Marriott left itself vulnerable to an inevitable large-scale cyberattack.
As a result, its estimated hackers had access to Marriott systems for up to four years, and these breaches landed the firm with a $52 million penalty by the FTC earlier this year, as the FTC argued the firm tried to hide the breaches, and “deceived consumers by claiming to have reasonable and appropriate data security.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via BleepingComputer
You might also like
- Take a look at our pick of the best malware removal software around
- Thousands of GPS tracking customers have info leaked following data breach
- Check out our choices for best antivirus software
Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.