- FTC’s investigation reveals that Marriott, along with its subsidiary Starwood Hotels & Resorts, implemented insufficient data protection practices, resulting in multiple breaches from 2014 to 2020.
Marriott International, a prominent player in the hospitality industry, agreed to a settlement of $52 million in response to a significant data breach that compromised the personal information of over 344 million guests globally.
The settlement, reached in conjunction with the Federal Trade Commission (FTC) and attorneys general from 49 states and the District of Columbia, underscores the critical need for robust data security measures in the face of rising cyber threats.
The FTC’s investigation revealed that Marriott, along with its subsidiary Starwood Hotels & Resorts, implemented insufficient data protection practices, resulting in multiple breaches from 2014 to 2020.
Reputational crisis
According to Samuel Levine, director of the FTC’s Bureau of Consumer Protection, such lapses in security not only jeopardised the privacy of millions but also misled consumers regarding the safety of their personal information.
As part of the settlement, Marriott is required to enhance its information security protocols significantly. This includes instituting a comprehensive security program featuring multi-factor authentication, encryption, and regular audits by independent third parties.
Notably, customers will now be afforded greater control over their personal data, with the ability to request deletions related to their loyalty accounts and email addresses.
Greater accountability
The breaches disclosed by the FTC highlighted a series of failures in Marriott’s security framework, such as inadequate password protection, lack of access controls, and poor monitoring of network environments.
The first breach, stemming from vulnerabilities in the Starwood system, went unnoticed for 14 months, exposing critical financial and personal information, including payment card details and passport numbers.
Subsequent breaches further compounded the environment of insecurity, culminating in a widespread reputational crisis for Marriott.
While Marriott has publicly maintained that it accepts no liability for the underlying allegations, the settlement signals an imperative shift towards greater accountability in the management of customer data.
The hotel chain’s commitment to rectify its security practices is essential not only for restoring consumer confidence but also for protecting sensitive information in an increasingly digital world.