The Federal Trade Commission (FTC) announced on Friday that it has finalized an order mandating Marriott International and its subsidiary, Starwood Hotels, to enhance their digital security protocols. This development follows allegations against the companies for insufficient security practices that led to three major data breaches occurring in 2015, 2018, and 2020. These incidents collectively compromised the personal information of over 344 million customers globally, exposing sensitive data such as passport details and payment card information.
The breaches highlighted severe lapses in security, with the shortest breach lasting an alarming 14 months before detection, while the longest persisted for four years, beginning in 2018. In response to these findings, Marriott and Starwood have agreed to implement a series of robust security measures. These include the establishment of data retention policies that limit the duration of information storage and the creation of a mechanism through which U.S. customers can request the deletion of their data linked to email addresses or loyalty accounts.
Hackers have increasingly targeted the hotel industry, making it a focal point for cyber threats. A notable incident last year involved a ransomware attack against MGM Resorts, which left FTC Chair Lina Khan and numerous others stranded, as the hotel had to revert to manual processes for check-ins due to compromised systems.
In October, the FTC brought its charges against Marriott and Starwood, accusing them of misleading consumers with false representations of “reasonable and appropriate data security” measures. Key failures identified in the complaint included poor password management, inadequate firewall protections, and a failure to update outdated software and systems. Concurrently, the Connecticut Attorney General’s office announced that Marriott had agreed to a $52 million settlement regarding these breaches.
The FTC’s order not only compels the companies to improve their cybersecurity practices but also prevents them from misrepresenting how they handle consumer data. This includes a mandate to clearly disclose the extent to which customers’ personal information is protected. Additionally, the order stipulates that Marriott and Starwood must maintain comprehensive compliance records and are subject to periodic inspections by the FTC. This regulatory oversight will remain in force for 20 years.
Analyzing the potential methods used in the breaches, several tactics and techniques outlined in the MITRE ATT&CK framework emerge as relevant. Initial access may have been achieved through phishing or exploiting unpatched vulnerabilities, while persistence techniques could include maintaining compromised accounts over extended periods. Privilege escalation could have allowed attackers to gain further access to sensitive data, ultimately facilitating these significant data breaches.
Overall, this case underscores the imperative for robust cybersecurity measures in protecting consumer information. Business owners must take proactive steps to safeguard their systems, recognizing that the repercussions of insufficient data security extend far beyond regulatory penalties, impacting customer trust and company reputation.
