The Federal Trade Commission (FTC) has finalized an order directing Marriott International and its subsidiary Starwood Hotels & Resorts Worldwide to implement a robust data security program.
The FTC order, announced in October 2024, follows three massive data breaches that exposed the personal information of over 344 million customers worldwide.
Marriott franchise operates over 30 hotel brands, managing over 7,000 properties in 130 countries. In 2016, it acquired Starwood for $13 billion, adding Westin, W Hotels, and St. Regis properties into its portfolio.
However, it also inherited appalling cybersecurity practices, which it failed to address promptly, resulting in personal data exposure.
The data included personal information such as names, email addresses, phone numbers, passport numbers, dates of birth, and gender.
The data breaches also exposed Starwood Preferred Guest (“SPG”) account information, reservation date, arrival and departure information, and communication preferences. For some customers, AES-128 encrypted payment card numbers and expiration dates were also exposed.
Marriot and Starwood to implement a robust data security program
The FTC order requires Marriott and Starwood to implement a comprehensive information security program and a data retention policy allowing US customers to request deletion.
The comprehensive security program also includes data encryption, enhanced access control, multi-factor authentication, and a mature and timely incident response.
Additionally, it must maintain an inventory of all IT assets and detailed security events. The hotel chain must also investigate suspicious activity within 24 hours and notify authorities of any data breaches within 10 days.
The FTC order also directs Marriot and Starwood to conduct biennial assessments of the data security program and report identified gaps for the next 20 years. It also prohibits Marriott and Starwood from misrepresenting how they collect, maintain, use, or disclose personal information.
Previously, the FTC had ruled that the hotel chains had made deceptive statements by claiming they had adequate data security safeguards to protect personal information on their booking websites, which turned out otherwise.
FTC order noted hotel chain’s shortcomings
The FTC order stated how Marriott failed to implement “reasonable data security” measures after acquiring Starwood in 2016, thus failing to detect a 2014 data breach until two years after the takeover.
Other shortcomings that the FTC order listed in October 2024 included the hotel chain’s failure to patch outdated software, and bad password and firewall practices.
“Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in October 2024.
The FTC order now requires all the mandated data security measures to be in place within 180 days of taking effect, roughly by June 17, 2025.
Besides the data security measures, Marriot and Starwood had agreed to pay $52 million to class members in 49 states and Washington D.C. to settle lawsuits stemming from the three cybersecurity incidents. However, this FTC order only focuses on implementing the data security program as previously suggested.
Meanwhile, hotels are attractive targets for cybercriminals due to the vast amount of personal and financial information they collect from customers. By issuing the order, the FTC hopes that other hotel chain operators would prioritize cybersecurity to prevent similar breaches.