Article Details

FTC orders Marriott and Starwood to implement strict data security. The Federal Trade Commission (FTC) has ordered Marriott International and Starwood Hotels to define and implement a robust customer data security scheme following failures that led to massive data breaches. After acquiring Starwood in 2016 and failing to implement "reasonable data security," Marriott International suffered three major data breaches impacting 344 million customers globally. Order for stronger measures Now, the FTC has ordered Marriott and its subsidiary, Starwood, to establish a security program that would safeguard the clients’ sensitive data from hackers and provide them better control over their data. According to the published order, the following key measures need to be taken:  The FTC order mandates that Marriott and Starwood implement the required comprehensive information security program and related measures within 180 days from the date the order takes effect, which is December 20, 2024, setting a deadline for June 17, 2025 The order will remain in effect for 20 years, with an option for extension under specific conditions. Past incidents In 2014, Starwood’s payment systems were hacked, exposing customer data, with disclosure delayed by 14 months. Another breach that lasted between 2014 and 2018 compromised 339 million guest records, including unencrypted passport numbers. The incident impacted only guests at Starwood properties, whose reservation database had been breached since 2014 and Marriott inherited the compromise when it acquired Starwood. In 2018, hackers accessed data of 5.2 million Marriott guests, but this was only detected in 2020, the delay in detection and disclosure leaving customers vulnerable for the entire time. In October 2024, Marriott settled with the FTC over the above failures, agreeing to pay $52,000,000 to 49 states to resolve claims related to these data breaches.