The Federal Trade Commission announced on Friday it finalized an order (pdf) requiring Marriott International and subsidiary Starwood Hotels to improve their digital security, reports BleepingComputer. The FTC charged the companies with lax security practices that resulted in three big breaches detected in 2015, 2018, and 2020, âaffecting more than 344 million customers worldwide,â leaking passport details, payment cards, and other info.
The shortest breach lasted 14 months before it was detected, while the longest one saw attackers maintain access for four years, starting in 2018. The beefed-up security programs they’ve agreed to establish include creating policies to only keep information for as long as itâs needed and publishing a link allowing US customers to request the deletion of information tied to their email address or loyalty account.
Hotels have been one of many key targets for hackers, with one breach last year catching FTC Chair Lina Khan among the many people left waiting to check in when a ransomware attack forced MGM Resorts to fall back on using pen and paper.
The FTC announced its charges in October, accusing the companies of having âdeceived consumersâ with false claims of âreasonable and appropriate data security.â Their alleged failures included having bad password and firewall practices and not patching outdated software and systems. The same day the FTC revealed the charges, the Connecticut Attorney Generalâs office announced Marriott had agreed to a $52 million settlement.
Beyond improving their security, the companies are now forbidden âfrom misrepresenting how they collect, maintain, use, delete or disclose consumersâ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information.â Other requirements include that they keep compliance records and submit to FTC inspections. The order will stay in effect for 20 years.
Read the full article here