Skip to main content

Massive Marriott and Starwood data breaches require 13 fixes, says the FTC

The Federal Trade Commission (FTC) has responded to a series of massive Marriott and Starwood data breaches, ordering the companies to make no fewer than 13 changes to ensure it can’t happen again.

More than 344 million customers were impacted by three separate security breaches, which revealed personal data that included credit card details and passport information …

Marriott and Starwood data breaches

The first of the three breaches dates all the way back to 2018.

The Marriott International hotel group is the latest company to announce a large-scale hack of a customer database.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

There were two further hacks after this.

FTC orders 13 changes

The FTC has now ordered both hotel groups to implement sweeping changes to guard against any repetition of the failings that allowed the attacks to succeed.

Under the order, Marriott and Starwood are required to establish a comprehensive information security program to help safeguard customers’ personal information, implement a policy to retain personal information only for as long is reasonably necessary, and establish a link on their website for U.S. customers to request for personal information associated with their email address or loyalty rewards account number to be deleted. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

The companies are also prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information.

Given how basic many of the provisions are, they serve as a pretty damning indictment of how bad things must have been. For example, the companies mustn’t lie about what they do with your data:

Respondents, Respondents’ officers, agents, and employees, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication:
A. Respondents’ collection, maintenance, use, deletion, or disclosure of Personal Information; and
B. The extent to which Respondents protect the privacy, security, availability, confidentiality, or integrity of Personal Information.

Other requirements are that the group train its employees in data security, create plans for responding to threats, establish policies to detect intrusions, and use two-factor authentication.

Photo by Jonathan Kemper on Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications