FTC Mandates Major Security Overhaul for Marriott and Starwood After Massive Data Breaches

The hotel chains must implement 13 strict measures to address security failures that exposed sensitive data of 344 million customers over multiple breaches.

• The FTC finalized an order requiring Marriott and Starwood to strengthen their data security after three breaches from 2014 to 2020 impacted 344 million customers globally.
• Exposed data included passport numbers, payment card details, and personal information, with some breaches lasting years before detection.
• The mandated changes include creating a comprehensive security program, implementing multi-factor authentication, and monitoring IT assets for anomalies within 24 hours.
• Marriott must allow U.S. customers to request the deletion of their personal data and restore loyalty points lost in breaches.
• The order, effective December 20, 2024, requires compliance within 180 days and will remain enforceable for 20 years, with regular independent assessments.

3 Articles

9to5Mac The Verge BleepingComputer