Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
- The FTC imposes strict rules on the Marriott Hotel chain
- Three massive data breaches by the Marriott led to hundreds of millions of customers being exposed
- FTC says the company failed to implement adequate security measures
The Federal Trade Commission (FTC) has told Marriott International and Starword Hotels to implement a robust customer data security scheme after several security failures in recent years.
Between 2015 and 2020, Marriott has suffered three massive data breachesresulting in more than 344 million customer details worldwide being exposed, including passport details, payment cards, and other personal identity information.
According to the ruling, Marriott must now establish and maintain a comprehensive information security program that includes encryption, access control, multi-factor authentication and incident response. Meanwhile, it must also monitor all IT assets to detect security events, and maintain policies to keep personal information only for as long as necessary.
Poor security practices
Independent, biennial assessments of information security programs must also be conducted, and any identified gaps or security breaches must be reported to the FTC within 10 days, and these terms will be enforced for the next 20 years.
Customers will now be given the option to review suspected unauthorized activity on their accounts, and to request that their data and personal information be removed from Marriott systems.
The company admitted that major security failures led to hackers being able to access customer data, and from failure to use secure encryptionMarriott was leaving itself vulnerable to an inevitable large-scale cyber attack.
As a result, its estimated hackers had access to Marriott systems for up to four years, and these breaches landed the company with a $52 million penalty from the FTC Earlier this year, as the FTC argued that the firm tried to hide the violations, and “mislead consumers by claiming that they have reasonable and adequate data security.”
Via BleepingComputer
