Feds Order Marriott/Starwood to Implement Data Security Program
Marriott Hotels acquired the Starwood Hotel chain in 2016. Two years prior to the acquisition, hackers broke into Starwood’s systems. Marriott didn’t figure out that Starwood was compromised until two years after they acquired the chain. The only reason they figured it out then was they were migrating Starwood to Marriott’s system and discovered the hackers.
The breach resulted in the compromise of information on over 300 million customers.
This is only one of several breaches that Marriott has had over the last ten years.
So now, ten years after the breach and almost seven years after the breach was detected and one month before the change of hands in Washington, the FTC awakes and tells Marriott to clean up its act.
Ignoring the last part, ten years? Seven years? What ever happened to swift justice?
None of this is going to help those 344 million people affected, but maybe Marriott will clean up its act a bit.
According to the FTC:
The Federal Trade Commission finalized an order requiring Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a comprehensive information security program to settle charges that the companies failed to implement reasonable data security, which led to three large data breaches affecting more than 344 million customers worldwide.
https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-finalizes-order-marriott-starwood-requiring-them-implement-robust-data-security-program-address
The key measures they have to implement include:
- Implement a comprehensive security program including encryption, MFA, access controls, etc.
- Retain information only as long as required and make it easy for consumers to tell them to delete their information
- Implement logging and alerting to detect anomalous events within 24 hours
- Implement biennial security assessments and report any gaps to the FTC – FOR THE NEXT TWENTY YEARS
- Provide a method for their customers to report unauthorized rewards activities and get their points back
- Report to the FTC within TEN DAYS any time their have to notify any government agency about a security incident.
They have 180 days from last Friday to implement all of this.
Hopefully this never happens to you, but reporting to the FTC for twenty years doesn’t sound like a lot of fun and 180 days to implement a program like this for a company their size is almost impossible. What is unknown is how long they have been working on this, so maybe they have been implementing the program for the last year or more.
They have 180 days from last Friday to implement all of this.
Credit: Bleeping Computer