Federal Trade Commission announced It was finalized on Friday an order (pdf) Marriott International and affiliated Starwood hotels need to improve their digital security, Reports Bleeping computer. The FTC accused the companies of lax security practices that resulted in three major breaches discovered in 2015, 2018 and 2020, “affecting more than 344 million customers worldwide,” including passport details, payment cards and more. Information leaked.
The shortest breach lasted 14 months before it was discovered, while the longest attackers maintained access for four years, starting in 2018. The security programs they set up include creating policies to keep information only. Require it and publish a link to allow US customers to request deletion of information associated with their email address or loyalty account.
Hotels have been one of many key targets for hackers, with a breach last year that caught FTC Chair Leena Khan among many people waiting to check in when a ransomware attack forced it. MGM Resorts To return to using pen and paper.
The FTC announced its charges Octoberaccusing the companies of “deceiving consumers” with false claims of “reasonable and adequate data protection”. Their alleged failures include improper password and firewall practices and not patching outdated software and systems. On the same day the FTC disclosed the allegations, the Connecticut Attorney General’s Office announced that Marriott had agreed to a $52 million settlement.
In addition to improving their security, companies are now prohibited from “misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which companies maintain privacy, security , protect the availability, confidentiality, or integrity of personal information.” Other requirements include that they keep compliance records and submit to FTC inspections. This order will remain in force for 20 years.
