Vivid News Wave

If you're a Marriott customer, FTC says the breach-plagued hotel chain owes you


If you're a Marriott customer, FTC says the breach-plagued hotel chain owes you

Following a settlement with the FTC, the hotel chain must implement a host of security changes and provide help to customers affected by the string of data breaches.

The FTC has come down hard on hotel chain Marriott following a series of data breaches between 2014 and 2020 that harmed more than 344 million customers around the world.

In a Wednesday news release announcing a settlement order with the company, the agency said that Marriott must delete any personal data associated with a customer's account upon request and restore any loyalty points lost as a result of the breaches. Further, the chain will have to dramatically tighten its security to better protect customers from future cyberattacks.

Also: How to use public Wi-Fi safely: 5 things to know before you connect

Marriott acquired Starwood in 2015, creating the world's largest hotel company. But the years have been problematic for the chain, at least when it comes to cybersecurity.

In its complaint, the FTC charged that the company failed to secure customer data in at least three separate data breaches. As a result, hackers were able to steal such user information as payment card numbers, loyalty numbers, passport data, dates of birth, and email addresses.

Specifically, Marriott and Starwood failed to set up proper password controls, access controls, firewall controls, or network segmentation, according to the FTC. The chain also neglected to patch outdated software and systems, monitor network environments, and implement effective multi-factor authentication. The company deceived its customers, the FTC added, by claiming to have reasonable and appropriate security in place.

Starting in June 2014, the first breach affected more than 40,000 Starwood customers and went undetected for 14 months. Starting in July 2014, the second breach led to the theft of 339 million Starwood guest account records and 5.25 million unencrypted passport numbers and was undetected until September 2018.

Starting in September 2018, the third breach impacted more than 5.2 million guest records, capturing names, mailing addresses, email, addresses, phone numbers, and loyal card information. This one went undetected until February 2020.

With all these breaches, the chain has faced a slew of lawsuits and fines. In another settlement with 50 state attorneys general announced on Wednesday, Marriott will have to pay a fine of $52 million. This one stems from the breach of its Starwood guest account database. With this settlement and the one with the FTC, the company has its work cut out for it.

Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online

For Marriott customers, the FTC settlement means the following:

To beef up its cybersecurity, Marriott will also have to address the following:

There's even more on Marriott's plate as a result of the settlement with the state attorneys general.

Also: The best travel VPNs: Expert tested and reviewed

As part of its information security program, the company must establish zero-trust principles, regular security reporting to the CEO, and employee training on data handling and security.

To better protect customer data, Marriott must implement several measures, including component hardening, asset inventory, encryption, network segmentation, patch management, intrusion detection, user access controls, and the tracking of files and users within the network.

The hotel chain must also increase its security oversight of vendors and franchisees, paying special attention to risk assessments for critical IT vendors and cloud providers. If Marriott acquires another company in the future, it must analyze that business's security and develop plans to identify and correct any gaps or weaknesses in its program.

Also: Were you caught up in the latest data breach? Here's how to find out

Finally, Marriott will have to submit to an independent third-party review of its information security program every two years for up to 20 years.

"Marriott's poor security practices led to multiple breaches affecting hundreds of millions of customers," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in the news release. "The FTC's action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe."

Previous articleNext article

POPULAR CATEGORY

corporate

7308

tech

8352

entertainment

8972

research

4007

misc

9423

wellness

7132

athletics

9364