Marriott and Starwood have been fined and told implement a comprehensive security program following three large data breaches.

According to the FTC, the companies’ failure to implement reasonable data security led to three large data breaches from 2014 to 2020, impacting more than 344 million customers worldwide.

In a proposed settlement order with the FC, Marriott and Starwood have agreed to provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number. Also Marriott will be required to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

In a separate settlement, Marriott agreed to pay a $52 million penalty to 49 states and the District of Columbia to resolve similar data security allegations.

“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s action today, in coordination with our state partners, will ensure that Marriott improves its data security practices in hotels around the globe.”

Security Failures

The FTC alleged that security failures by Marriott and Starwood resulted in at least three separate data breaches where malicious actors obtained the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses and/or personal information from hundreds of millions of consumers, according to the proposed complaint.

The first breach was in June 2014, and involved payment card information of more than 40,000 Starwood customers. The breach went undetected for 14 months until Starwood notified customers in November 2015, just four days after Marriott announced it was acquiring Starwood.

The second breach began around July 2014 and went undetected until September 2018. During that time, malicious actors accessed 339 million Starwood guest account records worldwide, including 5.25 million unencrypted passport numbers.

The third breach, which went undetected from September 2018 until February 2020, impacted Marriott’s own network. Malicious actors accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. The compromised records contained significant amounts of personal information, including names, mailing addresses, email addresses, phone numbers, month and day of birth, and loyalty account information.

Settlement Requirements

Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information. Other provisions of the proposed order include:

• Data Minimization: The companies must implement a policy to retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and specific business need for retaining it.

• Comprehensive Information Security Program: Marriott and Starwood are required to establish, implement and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.

• Loyalty Rewards Program Account Review: The companies must provide a method for consumers to request review of unauthorized activity in their Marriott Bonvoy loyalty rewards accounts and Marriott must restore any loyalty points stolen by malicious actors.

• Data Deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.

Commenting, William Wright, CEO of Closed Door Security said the fine was “fairly insignificant” considering the scale of Marriott's security failings, as the attacks impacted hundreds of millions of people, compromised sensitive information and unencrypted passport details, which would have put a massive strain on victims.

He said: “While it’s positive to hear that Marriott will now prioritise its cyber defences, it really should have been doing this from the very beginning. As one of the world’s largest hotel groups that holds masses of sensitive data, cyber security should never have been optional.

This fine is merely a slap on the wrist to a multi-billion-dollar organisation like Marriott.

“It also follows in the wake of the ICO's minor fine against the organisation in 2020. But, if the regulators really want to encourage businesses to improve their cyber hygiene, this doesn’t send out a good message. It certainly won’t be enough to deter other businesses from being lax with their defences.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.