If you’re a Marriott customer, FTC says the breach-plagued hotel chain owes you

marriott5gettyimages-904038172

AFP/Getty Images

The FTC has come down hard on hotel chain Marriott following a series of data breaches between 2014 and 2020 that harmed more than 344 million customers around the world.

In a Wednesday news release announcing a settlement order with the company, the agency said that Marriott must delete any personal data associated with a customer’s account upon request and restore any loyalty points lost as a result of the breaches. Further, the chain will have to dramatically tighten its security to better protect customers from future cyberattacks.

Also: How to use public Wi-Fi safely: 5 things to know before you connect

Marriott acquired Starwood in 2015, creating the world’s largest hotel company. But the years have been problematic for the chain, at least when it comes to cybersecurity.

In its complaint, the FTC charged that the company failed to secure customer data in at least three separate data breaches. As a result, hackers were able to steal such user information as payment card numbers, loyalty numbers, passport data, dates of birth, and email addresses.

Specifically, Marriott and Starwood failed to set up proper password controls, access controls, firewall controls, or network segmentation, according to the FTC. The chain also neglected to patch outdated software and systems, monitor network environments, and implement effective multi-factor authentication. The company deceived its customers, the FTC added, by claiming to have reasonable and appropriate security in place.

Starting in June 2014, the first breach affected more than 40,000 Starwood customers and went undetected for 14 months. Starting in July 2014, the second breach led to the theft of 339 million Starwood guest account records and 5.25 million unencrypted passport numbers and was undetected until September 2018.

Starting in September 2018, the third breach impacted more than 5.2 million guest records, capturing names, mailing addresses, email, addresses, phone numbers, and loyal card information. This one went undetected until February 2020.

With all these breaches, the chain has faced a slew of lawsuits and fines. In another settlement with 50 state attorneys general announced on Wednesday, Marriott will have to pay a fine of $52 million. This one stems from the breach of its Starwood guest account database. With this settlement and the one with the FTC, the company has its work cut out for it.

Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online

For Marriott customers, the FTC settlement means the following:

  • You can ask the company to review your Bonvoy account for unauthorized or suspicious activity. If any loyalty points were stolen as a result, the company will be required to restore them.
  • Using the Marriott website or mobile app, you can request the deletion of any personal data associated with your email address or Bonvoy account number.
  • You’ll now be able to set up multi-factor authentication on your Bonvoy account to better secure it.
  • The company’s privacy policy must clearly explain why it’s collecting and keeping your personal data.

To beef up its cybersecurity, Marriott will also have to address the following:

  • The chain must set up a comprehensive security program that includes multi-factor authentication, encryption, and other safeguards.
  • It will have to cooperate with third-party audits of its information security program.
  • It can keep and store personal customer information only if there’s a business need.
  • The company can use the information it collects only for the stated purpose.
  • It must delete any information it has collected when no longer needed.
  • It cannot use any data that was supposed to be deleted for marketing reasons.

There’s even more on Marriott’s plate as a result of the settlement with the state attorneys general.

Also: The best travel VPNs: Expert tested and reviewed

As part of its information security program, the company must establish zero-trust principles, regular security reporting to the CEO, and employee training on data handling and security.

To better protect customer data, Marriott must implement several measures, including component hardening, asset inventory, encryption, network segmentation, patch management, intrusion detection, user access controls, and the tracking of files and users within the network.

The hotel chain must also increase its security oversight of vendors and franchisees, paying special attention to risk assessments for critical IT vendors and cloud providers. If Marriott acquires another company in the future, it must analyze that business’s security and develop plans to identify and correct any gaps or weaknesses in its program.

Also: Were you caught up in the latest data breach? Here’s how to find out

Finally, Marriott will have to submit to an independent third-party review of its information security program every two years for up to 20 years.

“The recent settlements imposed on Marriott serve as a reminder of the increasing accountability businesses and their security leaders face regarding data security,” Darren Guccione, CEO and co-founder at Keeper Security, told ZDNET.

“The required implementation of a comprehensive information security program sets a benchmark for other companies to follow, and is a clear message from the FTC that negligence in protecting customer data can lead to substantial penalties and lasting reputational damage,” Guccione added. “Business leaders are now on notice that they must prioritize cybersecurity more than ever before. For consumers, the right to request data deletion and improved protection of loyalty accounts provide some reassurance that their privacy is being taken seriously.”

READ MORE HERE