In a significant regulatory move, the Federal Trade Commission (FTC) has finalized an order mandating Marriott International and its subsidiary Starwood Hotels to overhaul their data security protocols. This decision comes in response to multiple substantial data breaches that have compromised sensitive customer information, including passports and payment card details. The FTC’s actions underscore the increasing pressure on organizations to enhance their cybersecurity measures amidst rising threats.
Major breaches highlight security lapses
The breaches affecting Marriott and Starwood, which occurred in 2015, 2018, and 2020, resulted in the exposure of personal data from over 344 million customers globally. Notably, one breach allowed attackers to infiltrate the company’s systems undetected for four years, while another went unnoticed for 14 months. These incidents reflect significant lapses in security and have raised alarm regarding the adequacy of the companies’ defenses against cyber threats.
The FTC’s investigation revealed that Marriott and Starwood failed to implement sufficient security measures, rendering their systems vulnerable to attacks. Deficiencies included inadequate password management, ineffective firewall configurations, and the neglect of software updates. Furthermore, the companies misled customers by claiming to employ “reasonable and appropriate data security” practices, which were found to be grossly insufficient.
Strengthening security and customer transparency
As part of the FTC’s directive, Marriott and Starwood are now required to establish comprehensive data security policies. These policies must ensure that customer information is retained only as long as necessary and provide U.S.-based customers with an accessible method to request the deletion of their personal data linked to email addresses or loyalty accounts. In addition to these requirements, the companies are prohibited from misrepresenting their data handling practices, demanding transparency in how they collect, manage, and safeguard consumer information.
The order also includes stipulations for the companies to maintain compliance records, undergo periodic inspections by the FTC, and adhere to these new requirements for the next two decades. Compounding the situation, Marriott recently settled with the Connecticut Attorney General’s office for $52 million, further highlighting the financial repercussions of their security failures.
Hotels as prime hacking targets
The hospitality sector, including hotels, has increasingly become a lucrative target for cybercriminals due to the vast amounts of sensitive data they handle. The industry has come under intensified scrutiny following several high-profile breaches, such as the ransomware attack on MGM Resorts in 2023, which disrupted operations and forced a temporary return to manual processes.
FTC Chair Lina Khan has reiterated the critical need for robust cybersecurity measures within the hospitality industry, noting that breaches can have far-reaching consequences for both customers and business operations. With the FTC now monitoring Marriott and Starwood more closely, the expectation is that both companies will adopt more stringent safeguards to protect consumer data, ultimately aiming to restore trust in their brands.
Analyzing the potential tactics behind these cyber incidents through the lens of the MITRE ATT&CK framework reveals a spectrum of adversary techniques that could have been employed. Initial access may have been achieved via social engineering or exploiting vulnerabilities in the system, while persistence techniques might have facilitated attackers remaining undetected for extended periods. The overarching need for improved cybersecurity in the hospitality sector is clear, with regulatory oversight likely driving necessary reform.
