- FTC imposes strict rules on Marriott hotel chain
- Three major Marriott data breaches left hundreds of millions of customers exposed
- FTC says company failed to implement adequate security measures
The Federal Trade Commission (FTC) has asked Marriott International and Starword Hotels to implement a robust customer data security scheme following multiple security breaches in recent years.
Between 2015 and 2020, Marriott suffered three major data breaches, resulting in the exposure of more than 344 million customers worldwide, including passport details, payment cards, and other personally identifiable information.
Under the ruling, Marriott must now establish and maintain a comprehensive information security program that includes encryption, access control, multi-factor authentication and incident response. In addition to this, you should also monitor all IT assets for security events and maintain policies to retain personal information only for as long as necessary.
Poor security practices
Independent, biennial evaluations of information security programs must also be conducted, and any identified security gaps or violations must be reported to the FTC within 10 days, and these terms will apply for the next 20 years.
Customers will now have the option to review suspicious unauthorized activity on their accounts and request that their data and personal information be removed from Marriott systems.
The company admitted that major security flaws led to hackers being able to access customer data, and by not using strong encryption, Marriott left itself vulnerable to an inevitable large-scale cyberattack.
As a result, their estimated hackers had access to Marriott’s systems for up to four years, and these breaches earned the company a $52 million fine from the FTC earlier this year, as the FTC argued that the company attempted to conceal the violations and “misled consumers by claiming to have reasonable and adequate data security.”
Via BleepingComputer
