The Federal Trade Commission (FTC) has mandated that Marriott International and its subsidiary, Starwood Hotels, develop and enforce a comprehensive data security program due to a series of significant failures that resulted in massive data breaches. This action comes after Marriott’s acquisition of Starwood in 2016, which was marred by compromises that exposed the personal information of 344 million customers worldwide.
In light of these breaches, the FTC has issued an order requiring Marriott and Starwood to establish a robust security framework designed to protect sensitive client data from cyber threats while enhancing customer control over their information. The order identifies several key security measures that must be integrated into their operational protocols. These include the implementation of encryption, access controls, and multi-factor authentication, along with rigorous monitoring and incident response capabilities.
Marriott is also required to review and refine its policies regarding the retention of personal data, ensuring that information is stored only as necessary for its intended purposes. To promote transparency, the company must provide a mechanism on its website for U.S. consumers to request the deletion of their personal information. The FTC has set a firm deadline of 180 days from the order’s effective date—December 20, 2024—for these new security protocols to be operational, with the overarching mandate remaining in place for two decades.
The backdrop to this intervention includes a troubling history of data security lapses at both Marriott and Starwood. Notably, in 2014, Starwood suffered a significant breach of its payment systems, delaying disclosure for an extended period. Subsequent incidents further underscored systemic flaws in data protection practices, such as breaches from 2014 to 2018 that compromised nearly 339 million guest records, including unencrypted passport numbers, as well as a breach affecting over 5 million guests discovered in 2020, which left customers vulnerable for years.
Concerns regarding cybersecurity tactics employed in these breaches align with several stages outlined in the MITRE ATT&CK framework. The tactics likely employed include initial access through compromised systems and privilege escalation, allowing unauthorized individuals to traverse networks undetected. Inadequate awareness and monitoring gave way to persistence techniques, which hackers used to maintain access and exploit vulnerabilities over extended periods. Furthermore, the slow response to threats suggests deficiencies in incident response and threat detection protocols, critical components of a resilient cybersecurity posture.
This FTC order underscores the importance of proactive data security measures, particularly for organizations like Marriott with extensive customer data access. As businesses face increasing scrutiny from regulatory bodies and the public regarding data protection, the implications of these requirements extend beyond compliance. They serve as a crucial reminder that ongoing vigilance against cybersecurity threats is essential to protect sensitive information and maintain consumer trust.
Following these revelations, Marriott has agreed to pay $52 million to 49 states as part of a settlement concerning these breaches, illustrating the severe financial repercussions organizations may face when they fail to secure consumer data adequately. This event is not only a case study in the risks associated with inadequate data security but also a call to action for businesses to bolster their cybersecurity protocols in an ever-evolving threat landscape.
