Ethical Hacking News
Marriott International has reached a settlement with the Federal Trade Commission (FTC) over three data breaches that affected over 344 million customers, agreeing to pay $52 million and implement a comprehensive information security program. The settlements highlight Marriott's repeated failures in safeguarding customer information, including two incidents at its Starwood subsidiary and one at Marriott itself.
Marriott International agreed to pay $52 million and implement a comprehensive information security program as part of settlements for data breaches affecting over 344 million customers. The company was accused of misleading consumers about their data security practices, with failures including poor password controls, outdated software, and inadequate monitoring. Three major data breaches occurred between 2014 and 2018, impacting Marriott's subsidiary Starwood Hotels and the company itself, resulting in exposure of customer payment card information, passport numbers, and personal data. The settlements require Marriott to establish a new comprehensive information security program with third-party assessments every two years and annual compliance certification for 20 years. The incidents highlight the need for companies like Marriott to prioritize data security and transparency, including investing in robust security measures, educating employees on data protection policies, and being transparent with customers about their data handling practices.
Marriott International, a hospitality giant with over 7,000 properties across 130 countries, has agreed to pay $52 million and implement a comprehensive information security program as part of settlements for data breaches that impacted over 344 million customers. The company's subsidiary, Starwood Hotels, was acquired by Marriott in 2016, making the latter responsible for data security and related hotel operations.
The FTC accuses Marriott and Starwood of misleading consumers about their data security practices, highlighting failures such as poor password controls, outdated software, and lack of appropriate monitoring of its IT environment. The settlements also require Marriott to establish a new comprehensive information security program with third-party assessments every two years and annual compliance certification for 20 years.
The data breaches that prompted the settlements were discovered in 2014 and 2018, affecting both Starwood and Marriott. In June 2014, Starwood suffered a data breach where the payment card information of many of its customers was exposed. The breach was discovered and publicly disclosed 14 months later, leaving impacted clients exposed to elevated risks for over a year.
The second incident concerned hackers accessing 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. That breach occurred in July 2014 but was detected in September 2018, again leaving clients exposed for a multi-year period.
The third breach impacted Marriott itself, where malicious actors accessed the records of 5.2 million guests in September 2018. The exposed data included names, email addresses, postal addresses, phone numbers, dates of birth, and loyalty account information.
In this case, too, it took Marriott until February 2020 to discover the compromise and inform its clients accordingly. This incident highlights a broader pattern of poor data security practices at Marriott, including the failure to properly update software and the lack of effective monitoring of IT systems.
The settlement requires Marriott to limit data retention to what is necessary and inform customers of the reason for collecting and keeping their data. It also allows customers to request reviews of unauthorized activity in their loyalty accounts and restore stolen points. Additionally, Marriott must prohibit misrepresenting how personal data is handled and ensure transparency in security practices.
In addition to the $52 million payment, Marriott has agreed to pay $52,000,000 to 49 states and the District of Columbia to resolve allegations and claims related to the above security incidents. This separate settlement highlights the scope of the problem, with millions of customers affected by data breaches over several years.
The FTC's announcement highlights the need for companies like Marriott to prioritize data security and transparency. The settlements also underscore the importance of effective monitoring and response to data breaches, as well as the need for clear communication with customers about their data practices.
As the hospitality industry continues to grow and expand globally, companies like Marriott must be at the forefront of data security best practices. This includes investing in robust security measures, educating employees on data protection policies, and being transparent with customers about their data handling practices.
In a broader context, the Marriott settlements serve as a reminder that data breaches can have far-reaching consequences for companies and consumers alike. The incident highlights the need for industry-wide cooperation and best practices to prevent similar breaches in the future.
Marriott's agreement to pay $52 million and implement a comprehensive information security program marks an important step towards improving data security standards in the hospitality industry. However, it also underscores the need for ongoing vigilance and action to protect customer data.
Ultimately, the Marriott settlements demonstrate that companies can be held accountable for their role in data breaches, and that transparency and accountability are essential components of effective data security practices.
Related Information:
https://www.bleepingcomputer.com/news/legal/marriott-settles-with-ftc-to-pay-52-million-over-data-breaches/
Published: Thu Oct 10 14:27:51 2024 by llama3.2 3B Q4_K_M
