Major Marriott and Starwood Data Breaches Demand 13 Solutions

Major Marriott and Starwood Data Breaches Demand 13 Solutions

The Federal Trade Commission () has taken action following a series of significant data breaches involving Marriott and Starwood, mandating the companies to implement a minimum of 13 changes to prevent future occurrences.

Over 344 million customers were affected by three distinct security breaches, which compromised sensitive information including credit card details and passport data.

Data Breaches at Marriott and Starwood

The initial breach occurred as far back as 2018.

The Marriott International hotel chain has reported a significant hack involving its customer database.

“For roughly 327 million of these guests, the compromised data includes various combinations of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account details, date of birth, gender, arrival and departure dates, reservation dates, and communication preferences. In some instances, the data also contains payment card numbers and expiration dates; however, the payment card numbers were encrypted via Advanced Encryption Standard encryption (AES-128). There are two components necessary for decrypting the payment card information, which have not been determined to be secure by Marriott.”

Two additional breaches occurred after this incident.

Mandates 13 Changes

The has since directed both hotel chains to implement extensive changes to prevent the shortcomings that led to these breaches from recurring.

As part of the order, Marriott and Starwood must develop a comprehensive information security program aimed at protecting customers’ personal data, establish a retention policy for personal information, and create a link on their website for U.S. customers to request the deletion of personal information associated with their email address or loyalty rewards account. Moreover, Marriott is instructed to review loyalty accounts upon customer request and to restore any stolen loyalty points.

The companies are also prohibited from misrepresenting the manner in which they collect, maintain, use, delete, or disclose consumers’ personal information, as well as the extent of their protections regarding the privacy, security, availability, confidentiality, or integrity of such information.

The simplicity of many provisions highlights the serious nature of the past failures. For instance, the companies are strictly required to be truthful about how they manage your data:

Respondents, as well as their officers, agents, employees, and anyone else in active participation with them who receive actual notice of this Order, whether acting directly or indirectly, must not misrepresent in any way, either explicitly or implicitly:
A. The collection, maintenance, use, deletion, or disclosure of Personal Information by the Respondents; and
B. The measures taken by Respondents to protect the privacy, security, availability, confidentiality, or integrity of Personal Information.

Additional mandates include training staff on data security, formulating response plans for potential threats, implementing intrusion detection policies, and employing two-factor authentication.

Photo by Jonathan Kemper on Unsplash

: . More.