- The FTC is imposing strict rules on the Marriott Hotel chain
- Three huge data breaches from the Marriott led to hundreds of millions of customers being exposed
- FTC says the company failed to implement proper security measures
The Federal Trade Commission (FTC) has told Marriott International and Starword Hotels to implement a robust customer data security scheme following multiple security failures in recent years.
Between 2015 and 2020, Marriott suffered three huge data breaches, resulting in over the details of over 344 million customers across the world being exposed, including passport details, payment cards, and other personally identifiable information.
As per the ruling, Marriott must now establish and maintain a comprehensive information security program which includes encryption, access control, multifactor authentication, and incident response. Alongside this, it must also monitor all IT assets to detect security events, and maintain policies for retaining personal information only for as long as necessary.
Poor security practices
Independent, biennial assessments of information security programs must also be conducted, and any identified gaps or security breaches must be reported to the FTC within 10 days, and these terms will be enforced for the next 20 years.
Customers will now be given the option to review suspected unauthorized activity in their accounts, and to request that their data and personal information is deleted from Marriott systems.
The company admitted major security failings led to hackers being able to access customer data, and by failing to use secure encryption, Marriott left itself vulnerable to an inevitable large-scale cyberattack.
As a result, its estimated hackers had access to Marriott systems for up to four years, and these breaches landed the firm with a $52 million penalty by the FTC earlier this year, as the FTC argued the firm tried to hide the breaches, and “deceived consumers by claiming to have reasonable and appropriate data security.”
Via BleepingComputer