Marriott Faces Federal Action Over Major Data Breaches Affecting Millions
The U.S. Federal Trade Commission (FTC) announced on Wednesday that Marriott International and its subsidiary, Starwood Hotels & Resorts Worldwide, will be mandated to implement an information security program as part of a settlement related to several significant data breaches that occurred between 2014 and 2020. These breaches compromised the personal information of more than 344 million customers globally, raising serious concerns about the effectiveness of the companies’ data security practices.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, criticized Marriott for its inadequate security measures, which he stated "led to multiple breaches affecting hundreds of millions of customers." This FTC initiative, developed in collaboration with state partners, aims to enforce improvements in data security protocols across Marriott’s global hotel operations, a critical step considering the scale and impact of the breaches.
Furthermore, as part of the settlement, Marriott and Starwood have agreed to enhance customer privacy by enabling U.S. customers to request the deletion of personal information linked to their email addresses or loyalty rewards accounts. They will also be obligated to examine loyalty rewards accounts upon customer request and restore any stolen loyalty points. This move reflects a growing necessity for companies to prioritize customer data security in light of persistent cyber threats.
In addition to implementing new security measures, Marriott will incur a financial penalty of $52 million, payable to 49 states and the District of Columbia, to resolve similar allegations of lax data security. This financial settlement underscores the gravity of the situation and the expectations placed upon large corporations to protect customer data adequately.
Marriott has stated that protecting guests’ personal information remains its top priority, affirming its commitment to investing significantly in evolving its data security programs and systems. The company emphasizes that its agreements with the FTC and state attorneys general do not constitute an admission of liability regarding the allegations, although the repetitive nature of these breaches raises important questions about its cybersecurity posture.
In 2020, Marriott also faced a class action lawsuit in London from millions of former guests, seeking compensation after their personal information was hacked in what has been described as one of the largest data breaches in history. This continuing trend of data breaches within the organization suggests potential vulnerabilities that may fit within various tactics outlined in the MITRE ATT&CK framework, including initial access through phishing or exploitation of vulnerable services, persistence techniques to maintain access to compromised data, and privilege escalation to gain access to more sensitive information.
As businesses increasingly integrate technology into their operations, the need for robust cybersecurity measures has never been more pressing. Recent events at Marriott serve as a cautionary tale for organizations of all sizes regarding the critical importance of securing sensitive customer data against evolving cyber threats. The combination of regulatory scrutiny and legal challenges indicates that companies must proactively address their cybersecurity frameworks to prevent future incidents and safeguard their reputation.
