The FTC has slammed hotel chain Marriott following a series of data breaches that harmed more than 344 million customers worldwide from 2014 to 2020.
in October 9th news release The agency issued a settlement order with the company, saying Marriott must delete personal data associated with customers’ accounts upon request and restore loyalty points lost as a result of the breach. Additionally, the chain will need to significantly strengthen its security to better protect its customers from future cyberattacks.
Related article: Why you should turn off your cell phone at least once a week, according to the NSA
marriott Acquire Starwood In 2015, we founded the world’s largest hotel company. But the years since have continued to be problematic for the chain, at least when it comes to cybersecurity.
in the complaintthe FTC accused the company of failing to protect customer data in at least three separate data breaches. As a result, hackers were able to steal user information such as payment card numbers, loyalty numbers, passport data, dates of birth, and email addresses.
Related article: How to protect sensitive data using Android 15’s Private Spaces feature
Specifically, the FTC said Marriott and Starwood failed to set up adequate password controls, access controls, firewall controls, or network segmentation. The chain also failed to patch outdated software and systems, monitor its network environment, and implement effective multi-factor authentication. The FTC added that the company misled customers by claiming it had reasonable and appropriate security in place.
Beginning in June 2014, the initial breach affected more than 40,000 Starwood customers and went undetected for 14 months. The second breach, which began in July 2014, led to the theft of 339 million Starwood guest account records and 5.25 million unencrypted passport numbers, and went undetected until September 2018. did.
Also: Cash App users have one month to claim a settlement of up to $2,500.
A third breach occurred in September 2018, affecting over 5.2 million guest records and collecting names, addresses, email addresses, phone numbers, and loyalty card information. This was not detected until February 2020.
As a result of all these violations, the chain is facing numerous lawsuits and fines. In a separate settlement with the 50 state attorneys general Announced on October 9thMarriott must pay a $52 million fine. This is due to a compromise of the Starwood guest account database. With this settlement and the FTC settlement, the company no longer has to expend effort.
Also, why remove Russian Linux kernel administrators?Here’s what Torvalds said
For Marriott customers, FTC settlement means:
- You can ask the company to check your Bonvoy account for fraudulent or suspicious activity. As a result, if loyalty points are stolen, businesses must recover them.
- You can request deletion of your personal data associated with your email address or Bonvoy account number using the Marriott website or mobile app.
- You can now set up multi-factor authentication on your Bonvoy account for added security.
- A company’s privacy policy should clearly explain why personal data is collected and stored.
To strengthen cybersecurity, Marriott must also address:
- Chains must set up a comprehensive security program that includes multi-factor authentication, encryption, and other safeguards.
- Must cooperate with third-party audits of information security programs.
- We may retain and store personal customer information only as long as we have a business need to do so.
- We may use the information we collect only for the stated purpose.
- The information you collect must be deleted when it is no longer needed.
- Data that would have been deleted cannot be used for marketing purposes.
As a result of the settlement with the state attorney general, Marriott will have to do more.
Also: Fidelity breach exposes 77,000 customers’ personal data
As part of their information security program, companies must establish zero trust principles, regular security reporting to the CEO, and employee training on data handling and security.
To better protect customer data, Marriott is implementing several enhancements, including component hardening, asset inventory, encryption, network segmentation, patch management, intrusion detection, user access control, and tracking of files and users within the network. countermeasures must be implemented.
Related article: Why you no longer need to pay for antivirus software
Hotel chains should also pay particular attention to risk assessments of critical IT vendors and cloud providers and increase security monitoring of vendors and franchisees. If Marriott acquires another company in the future, it will need to analyze the security of that business and develop a plan to identify and fix any gaps or weaknesses in the program.
Finally, Marriott will be required to submit its information security program to an independent third-party review every two years for up to 20 years.
Related article: Best travel VPNs: Tested and reviewed by experts
“The recent settlement imposed on Marriott serves as a reminder of the increasing responsibilities that businesses and their security leaders face when it comes to data security,” said Co-founder and CEO of Keeper Security. (CEO) Darren Gugone told ZDNET.
“Mandatory implementation of a comprehensive information security program sets a benchmark for other companies to follow, as failure to protect customer data can lead to hefty fines and lasting reputational damage.” “This is a clear message from the FTC,” Guccione added. “Business leaders now realize that they need to prioritize cybersecurity now more than ever. For consumers, the right to request data deletion and increased protection for loyalty accounts make privacy a serious consideration. It gives you some peace of mind that you are being taken care of.”
