Skip to main content

Marriott International, Inc. has long highlighted core values of putting people first, pursuing excellence, acting with integrity, and serving the world. Today, the FTC and Attorneys General from 49 states and D.C. are jointly announcing an action that suggests the company may want to add a fifth value to that list: protecting customer data and privacy. 

According to today’s proposed complaint, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide, LLC had data security failures that led to at least three breaches between 2014 and 2020. First, the FTC says between 2014 and 2018 bad actors were able to take advantage of weak data security to steal 339 million consumer records from Marriott’s subsidiary, Starwood in two separate breaches. That included millions of passport, payment card, and loyalty numbers. Then, in 2020, according to the complaint, Marriott told its customers bad actors had breached Marriott’s own network through a franchised hotel.  This time the intruders stole 5.2 million guest records, which included significant personal information and loyalty account information. The stolen information was detailed enough, the complaint explains, that bad actors could use it to create highly successful, targeted phishing campaigns to commit fraud.

To settle the FTC’s case, Marriott and Starwood have agreed to a proposed order that will require them to implement processes and checks designed to prevent future problems by protecting personal information, detecting problems as they arise, and fixing any issues in a timely manner. Marriott has also agreed to pay $52 million as part of related settlements with state enforcers.

Here are some key lessons from the Marriott case.

  • Check out security practices when you acquire another company. The FTC’s complaint says Starwood’s breach was already happening before Marriott acquired the company and continued through and after the acquisition process. Remember that when you acquire a company, you’re not only buying the good stuff like its computers, software, systems, databases, and networks. You’re also buying the problems, like vulnerabilities, misconfigurations, and other security issues that may exist. Make sure you have a plan to bring the acquired company on board securely. And after the acquisition, take a careful look at the acquired company’s information security program. When – not if – you find problems, make a plan to address them. Don’t integrate the acquired company’s systems and technology into your network until you can do so safely and securely.
  • Use a multi-layered approach to data security. To protect personal information from bad actors, start with a risk assessment that looks at both internal and external risks. Go beyond basic security. And when you’ve figured out where the issues are, put multiple layers of controls in place. A few basic measures like training your employees to recognize attacks, using access controls, updating software, and having plans in place to deal with breaches when they occur can go a long way.
  • Collect and keep only the data you need. Malicious actors can’t steal what isn’t there, so give careful thought to what data you collect before you collect it, and don’t keep data longer than you need it. And make sure you’re giving your customers an easy way to let you know they want you to delete their personal information.
  • Vendor oversight is more important than ever. If you’re hiring someone to help you with your business, whether it’s to build your website or for another reason, make sure you choose vendors who make data security a priority. Use contracts to make sure your vendors have controls in place, and monitor your vendors’ activity to make sure they are complying.
  • Don’t forget franchisees. When you are working on your risk assessment, remember to take a closer look at your relationships with franchisees. Do your contracts require employee training and data security programs? Are you conducting audits? Make sure you’re watching for problems.

Learn more about protecting your customers’ data and privacy at Start With Security

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates

 
Return to top