Marriott International Faces FTC Action Over Data Breaches: A Call for Enhanced Cybersecurity
In a significant move aimed at addressing the growing concerns over data security, the Federal Trade Commission (FTC) has ordered Marriott International, Inc. to enhance its cybersecurity measures and pay a hefty $52 million penalty. This action follows a series of alarming data breaches that compromised sensitive customer information, affecting over 344 million individuals. The FTC’s investigation revealed serious shortcomings in Marriott’s security protocols, particularly those inherited from its subsidiary, Starwood Hotels & Resorts Worldwide LLC, which Marriott acquired in 2016.
A History of Breaches
Marriott’s troubles began with a series of massive data breaches that occurred between 2014 and 2020. The first breach, which went undetected for 14 months, exposed a wealth of personal information. Subsequent breaches, including one that lasted from 2014 to 2018, compromised 5 million unencrypted passport numbers. The final breach, which affected Marriott’s internal network, remained undetected for two years, further underscoring the inadequacies of the company’s cybersecurity infrastructure.
The FTC’s investigation highlighted that Marriott and Starwood failed to implement essential security measures, such as password controls, access restrictions, and network segmentation. Alarmingly, the hotels did not patch outdated software or systems, nor did they adequately log and monitor network activity. The absence of multi-factor authentication (MFA)—a basic yet crucial security practice—was particularly concerning, given the scale of the breaches.
The FTC’s Findings
The FTC’s findings were stark. The agency noted that Marriott provided "deceptive information security statements" and that its security practices were grossly inadequate. Employees often relied on default, blank, or weak passwords, and the company failed to terminate accounts of former employees in a timely manner. These lapses severely hindered the ability of security teams to distinguish between authorized and unauthorized activities, allowing intruders to operate undetected for extended periods.
In its complaint, the FTC stated, "This failure prevented Respondents from detecting intruders in their networks—for several years during the Second Breach—and further prevented them from determining the information exfiltrated from their networks." Such negligence not only jeopardized customer data but also eroded trust in Marriott’s ability to safeguard sensitive information.
Settlement and Future Obligations
As part of the settlement, Marriott is required to implement robust security practices and undergo annual compliance certifications for the next 20 years. Additionally, the company must conduct third-party assessments of its cybersecurity program every two years. The settlements also mandate that Marriott and Starwood provide U.S. customers with a mechanism to request the deletion of personal information associated with their accounts.
The FTC’s proposed settlements are currently subject to public comment and final approval, but they represent a crucial step toward holding large corporations accountable for their cybersecurity practices. The agency’s actions serve as a reminder that companies must prioritize data security and take proactive measures to protect customer information.
Industry Reactions
Industry experts have weighed in on the implications of the FTC’s actions against Marriott. Dan Schiappa, chief product and services officer at Arctic Wolf, emphasized that while the threat landscape is constantly evolving, the fundamentals of cybersecurity remain unchanged. "Implementing identity access management tools like multi-factor authentication, adhering to strong password controls, and regular patching and updating schedules are all foundational elements of a comprehensive security plan," Schiappa noted.
The allegations against Marriott should serve as a cautionary tale for organizations that have not taken their cybersecurity measures seriously. As data breaches become increasingly common, the need for robust security practices is more critical than ever.
Marriott’s Response
In response to the FTC’s actions, Marriott stated that it is committed to enhancing its data privacy and information security programs. The company indicated that many of the necessary improvements are already in progress. However, the effectiveness of these measures will ultimately depend on their implementation and adherence to the FTC’s requirements.
As the digital landscape continues to evolve, organizations must remain vigilant in their efforts to protect customer data. The Marriott case underscores the importance of maintaining rigorous cybersecurity protocols and the potential consequences of neglecting these responsibilities. For consumers, the fallout from such breaches can be profound, highlighting the need for transparency and accountability in how companies manage sensitive information.
In conclusion, the FTC’s decisive action against Marriott International serves as a critical reminder of the importance of cybersecurity in today’s interconnected world. As companies face increasing scrutiny over their data protection practices, the lessons learned from this case will undoubtedly resonate throughout the industry, prompting a renewed focus on safeguarding customer information.